As new data privacy regulations like the California Consumer Privacy Act (CCPA) roll out, organizations concerned about compliance are changing how they handle sensitive customer information. One interesting trend we’ve noted is that companies are creating committees to handle customer requests about their personal information, often including someone from the privacy office, someone from the security office, and someone from the department or function that owns the data. These three representative groups then work together to determine what data the company has, what they have to do to protect it, and what they’re required to provide to customers.
It makes sense to make a team effort out of figuring out what qualifies as personally identifiable information (PII). New regulations extend companies’ responsibility beyond the obvious, like names and credit card numbers, to include just about anything that might be linked back to the individual, like an IP address or GPS coordinates. That puts them on the hook for figuring out not just who data belongs to, but what kinds of data they might have.
Complying with privacy regulations isn’t going to get any easier, so we’re curious: what are you doing to protect PII? How are you changing your current procedures? Where are you getting stuck?