September 2022

· 3 min read

5 Steps Business Owners Must Take To Protect Personally Identifiable Information

The first step is taking inventory of all the personally identifiable information your business maintains.
Abstract tech background in purple color - 5 Things Business Owners Should Do to Protect PII | NSF

The success of any business depends in large part on customer trust. Customers have to trust that a company they are doing business with operates in an ethical way. Likewise, the company must trust that the information a customer provides is accurate and legitimate. Businesses also have an ethical and legal responsibility to safeguard the sensitive information they collect. Business owners and stakeholders who are able to protect customer information will earn their customers’ loyalty. Those who do not have security measures in place, allowing a security breach or data theft to occur, will lose customer trust and may have to defend themselves against potential lawsuits. Given the serious risks involved, making data security a top priority is key.

What kind of personally identifiable information, or PII, are we talking about? Well, think about all the different kinds of personal data companies gather — identifiers such as names, Social Security numbers, credit and debit card account numbers, birthdates, addresses, phone numbers, email addresses, and health information.

Of course, there are good reasons to gather sensitive information. An online retailer will need to gather credit card information and shipping details to process and send a purchase to a customer. A health insurance company has to collect date of birth, Social Security number and contact information in order to issue a new customer policy.

The Bureau of Consumer Protection of the Federal Trade Commission, an agency of the U.S. government, recommends five simple steps all businesses, both large and small, should take to safeguard customers’ PII. It’s a proven, effective approach that doesn’t require expensive software or new devices. Our experts weighed in on each of the 5 steps to help your business get smart about protecting PII.

  1. 1

    Take Stock

    Know what PII you have in your files and on your computers. This may seem obvious at first glance, but some business owners may be tempted to jump ahead in the process and start deleting information they feel is no longer needed. Instead, think strategically. Start with a complete inventory of all the PII data your business maintains. Know what you have first, so you can then decide what to cut. Conduct a complete inventory, just as you would for products stored in your warehouse. Except in this case, it’s PII. Check all computers, laptops, mobile devices, flash drives, disks, home computers and digital copiers for sensitive data. If you have hard copy files with PII, include those in the inventory also.

  2. 2

    Scale Down

    Keep only what you need for your business. Write down all the ways your business receives PII. Include websites, contractors, advisors and consultants. Speak with staff across all departments, including accounting, human resources, information technology, marketing and sales, to help ensure that you have a complete picture of where all PII is stored. Ask yourself these basic questions: Who sends sensitive information to my business? How does my business receive PII? What kinds of data does my business collect?

  3. 3

    Lock It

    Protect the information you keep. Where do we keep the information received? Create a map of the various places and add it to your list. Remember to include employees who use company laptops to work from home. Who has or could have access to PII? Consider staff as well as outside contractors and vendors.

  4. 4

    Pitch It

    Properly dispose of what you no longer need. Business owners who protect customer data are not only looking out for their business by avoiding legal jeopardy but also showing how much they value safeguarding their customers’ information and privacy.

  5. 5

    Plan Ahead

    Create a plan to respond to security incidents. Laws like the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the Federal Trade Commission Act that may require you to show reasonable steps to protect sensitive data are an added legal incentive for management to take the time and make the effort to get this data security component right.

Want To Learn More About Protecting PII?