When businesses process customer data, they are responsible for keeping it secure under Australia’s Privacy Act. If the information relates to anyone from Europe, the general data protection regulation (GDPR) also applies. Both regulations demand that organisations appropriately manage the personally identifiable information (PII) they hold.
In addition, the Australian government has stipulated that businesses must address the significant increase in data breaches over the past two years. Between July and December 2021, the Office of the Australian Information Commissioner (OAIC) received 464 data breach notifications—an increase of six per cent compared to the previous period.
For larger enterprises, the challenge is even more critical. Such companies often have multiple data repositories used by multiple stakeholders, and some are unaware of what company-specific customer information they have on file. For these companies, one data breach could wreak havoc, especially if it isn’t adequately equipped with the right governance in place to manage this type of information.
As a result, many businesses have adopted data-loss prevention measures. However, this isn’t a sure-fire solution. Instead, businesses should get a head start with a document management solution that distinguishes business-critical data and sensitive information such as PII so it can be appropriately managed.
With the increasing occurrence of data breaches involving PII, it’s important to consider implementing the following best practices:
- Discover and classify PII: An organisation has thousands, even millions, of documents in its data repositories such as network folders, SharePoint, OneDrive, Microsoft Teams, and e-mail. However, to comply with privacy legislation, businesses shouldn’t have any PII data stored in these locations. Forward-thinking organisations use a solution that helps businesses find PII data in all their databases, tagging documents that potentially contain social security numbers and metadata. From there, a workflow can be initiated to ensure that misfiled records are either relocated or destroyed.
- Implement the least-privilege model: The principle of least privilege (POLP) works by limiting access rights for users and allowing only enough access to perform the required task. With defined access permissions, businesses can avoid PII getting into the wrong hands and being distributed to a broader network.
- Leverage real-time monitoring: With a smart document management platform, businesses can leverage an automated background service that constantly checks for new files and information. For example, if someone stores a credit-card number in the comments section of an application, the system should be able to alert that person so the business can act.
- Avoid storing unnecessary PII: Businesses should destroy or de-identify PII once it's no longer needed or when there is no further legal obligation to hold it, including former customer data. Being able to automatically set permissions to protect documents that contain PII can help. Businesses should also implement appropriate measures and policies to avoid leaving data traces in unsecured locations or accidental data deletion.
Staying ahead of a shifting threat landscape
If businesses want to mitigate data loss risk, they must practice superior PII data management. With the right solution, businesses can proactively find and classify PII data, making it easier to gain insight into what data they hold, and take the steps to effectively manage and protect it.
M-Files Discovery finds business-critical information within extensive document archives and automatically classifies and categorises those documents with relevant metadata. It can also help companies find various forms of PII from different information silos and initiate a workflow to properly manage documents and application databases.
To find out how M-Files Discovery can help your organisation effectively manage and protect PII against data breaches, contact the team today .
