Your PII Compliance Checklist

Given the sensitive nature of personally identifiable information (PII), there are multiple regulations businesses need to be aware of when they collect email addresses, payment information or anything else that could potentially identify a customer.

But securing PII is more than just adhering to compliance regulations — it also helps you build trust with your customers, and lets them know their privacy is paramount when they connect with you. 

Unfortunately, PII compliance can be challenging — particularly for organizations with complex enterprise systems or large user databases. We’ve created this step-by-step PII compliance checklist to help make sure you’re properly protecting your most sensitive data.

Step One: Locate PII

You can’t properly protect PII if you don’t know where it is. The first step in protecting your sensitive data is discovering where it resides in your business applications. 

Tips:

• Go through your business processes and applications to determine where PII is collected and stored
• Look at interfaces, apps, databases, integrations and reports to see how data flows through them, and where any potential vulnerabilities may lie 
• Don’t forget to look at images — photographs, fingerprints, handwriting and other biometric data all are all considered PII 

Step Two: Classify PII

A preliminary review of where PII is (or could be) stored will likely return a large volume of data. Not all of it will be relevant. Data classification will help you flag the systems and processes that will be most critical to PII compliance. 

Tips:

• Use standardized taxonomy
• Create a data inventory map or list
• Categorize the data by confidentiality impact level
• Evaluate the sensitivity levels of the data

Step Three: Build a PII policy or data governance framework

Data classification gives you an excellent position to develop risk-based PII compliance policies. Once you know where your sensitive personal data lies, you can create rules for managing it effectively. This not only helps with PII compliance, it will improve overall the quality of your data as well as big-picture issues like security and business continuity.    

Tips:

• Create policies based on the compliance regulations you’re subject to
• Specify how you define PII and how to analyze risk affecting it
• Designate someone to own and facilitate the program
• Update your framework as data governance laws change
• Schedule annual or quarterly reviews of your framework

*Note: Data classification is a critical tool for compliance and security — and luckily, we have a few resources to get you started:

• Protect Your Data with Salesforce Data Classification
• A Guide to Customizing Your Salesforce Data Classification Settings
• Salesforce Data Classification: Metadata Field Reporting

Step Four: Conduct a privacy impact assessment 

A privacy impact assessment tests the effectiveness of your data governance framework and lets you know if there are any gaps you should be concerned with. 

Tips:

• Analyze who has access to your PII
• Conduct periodic risk assessment tests (and assign someone to facilitate them)
• Identify how easily individuals can be identified by your PII
• Evaluate the context of use (the purpose for which your PII is collected, stored, used, processed, disclosed)

Step Five: Secure your PII with appropriate processes and standards

After you’ve completed the steps above, you should be ready to implement the processes you’ve laid out in your PII governance framework. This step, as you can imagine, is the most important aspect for PII compliance; if you don’t bring your data protection policies to life, then they are useless. 

Tips for securing your PII:

• Encrypt databases where PII is kept
• Encrypt any communication where PII is being transmitted
• Use the principle of least privilege
• Don’t keep PII longer than you need it; cleanup your database(s) regularly
• Use data classification to categorize the sensitivity levels of your data
• Use firewalls
• Implement user authentication or multi-factor authentication
• Invest in intrusion detection technology
• Conduct staff training
• De-identify records by removing enough PII that individuals cannot be identified

Just getting started on your compliance journey? Check out our article on GDPR in Salesforce before you go!