When companies process customer data, they are responsible for its security according to General Data Protection Regulation (GDPR). This regulation requires organisations to appropriately manage the personally identifiable information (PII) they hold.

We live in a time when this is a big challenge for companies and the number of data breaches is only increasing. Companies often have multiple repositories used by multiple stakeholders, and some do not even know what company-specific customer data they store. For these companies, just one data breach can wreak havoc, especially if they do not have the right governance in place to manage this kind of information.

Many companies put rules in place to prevent data breaches and data losses. However, this does not provide security. Instead, companies would benefit much more from a document management solution. One that distinguishes by itself between business-critical and sensitive information such as PII, so that it can be managed appropriately.

Given the increasing number of data breaches and breaches involving PII, it is worth considering the following best practices:

Discovery and classification of PII

An organisation owns thousands, sometimes even millions, of documents and stores them in places like network folders, SharePoint, OneDrive, Microsoft Teams and email. However, to comply with privacy laws, companies should not have PII data stored in these locations.

Forward-thinking organisations use a solution that helps find PII data in all their databases and storage locations, and then 'tag' it as sensitive information. From there, a workflow can then be initiated to ensure that improperly stored records are moved or destroyed.

Applying the least duty model

'The principle of least privilege' (POLP) works by limiting access rights for users and granting only sufficient access to perform the required task. With defined access rights, companies can prevent PII from falling into the wrong hands and being spread across a wider network.

Using real-time monitoring

With a smart document management platform, companies can use an automated background process that constantly checks for new files and information. For example, if someone stores a credit card number in an application file, the system should be able to alert that person so that the company can act.

Avoid storing unnecessary PII

Companies should destroy or depersonalise PII as soon as it is no longer needed or when there is no longer a legal obligation to retain it, including former customer data. It can help to set up automatic permissions to protect documents containing PII. Companies should also implement appropriate measures and policies to prevent data traces being left in unsecured locations or data being accidentally deleted.

Staying ahead of a shifting landscape of digital threats

If companies want to reduce the risk of data loss, they must implement modern management of PII data. With the right solution, companies can proactively find and classify PII data, making it easier to understand what data they hold and take the steps to manage and protect it effectively.

M-Files finds business-critical information in large document archives. M-Files can be used to automatically classify and categorise documents and find personally identifiable information (PII). It can automatically set metadata, update document permissions and launch matching workflows.

Curious how M-Files automatically recognises and detects business-critical information? Schedule a personal demonstration to see how this happens.