Persona provides you with GDPR and CCPA compliance right out of the box. It all starts with Accounts. Accounts is a new feature that enables organizations to view the entire history of how you've interacted with an individual over time. By providing a reference id, you can automatically link many different inquiries to the same individual. Now, it’s straightforward to compare information collected in an Inquiry against what's already known about that individual user. In summary, we are providing a holistic way to understand an individual. We are moving toward verifying "who an individual is" and away from "what we learned about an individual this time."
With Accounts, you have a log of interactions with an individual and a record of all the individuals who have signed up for your service. This unlocks three main use cases:
- Reverification of an individual who is already using your service
- Ability to run continuous reports over time
- Safe PII and information storage
For now, we will deep dive into PII Storage. Check out our other posts to learn more about reports and reverification.
What’s the deal with PII and compliance?
Under the California Consumer Privacy Act (CCPA), all individuals have the right to access the personal data that is held about them by any company. Additionally, consumers can request for organizations to delete their personal data and restrict how it is used. For the business owner, CCPA guidelines require businesses to maintain a data inventory to track data processing history.
Additionally, under the General Data Protection Regulation (GDPR), European Union (EU) citizens can request access to any of their PII stored by companies or ask that PII be deleted. Organizations must meet these requests in as timely a manner as possible and provide proof that requests were completed as directed. Failure to do so could lead to fines or business sanctions.
If you already are an administrator of your Persona account, you won’t have to worry because we handle all of this for you and make it very easy for you to administer any kind of data aggregation for your users with Accounts.
The importance of security and compliance for PII
With laws such as CCPA and the GDPR giving individuals increased control over their data, companies must take steps to cultivate consumer confidence and ensure they feel comfortable sharing PII.
Because individuals want to know that you’re taking steps to effectively protect their PII, it's important to create comprehensive security frameworks that prioritize the protection of data at each step of the process: collection, storage, usage, retention, and destruction. Here, no single step is more important than any other — continuous security is critical for success. Failure to deploy effective security processes and policies may lead to data breaches of sensitive information and set the stage for user identity theft.
It's also important to ensure you comply with any regulations applicable to your business. For example, GDPR defines six acceptable reasons for collecting user PII: vital interest of the individual, the public interest, contractual necessity, compliance with legal obligations, unambiguous consent of the individual, or legitimate interest of the data controller. If you collect data outside these reasons, you may be subject to fines or sanctions.
While CCPA and GDPR don’t mandate specific security controls to protect collected data, they both require companies to do their due diligence and take reasonable precautions against the loss, theft, or damage of PII. Failure to do so could lead to legal challenges or fines, and in the event of a data breach, evidence of robust security controls can limit overall legal liability.
How to start securing your PII
The sheer volume of customer data collected and types of data that now fall under the umbrella of PII for both CCPA and GDPR — in addition to other evolving data protection regulations such as Brazil’s LGPD and the Health Insurance Portability and Accountability Act (HIPAA) — make it impossible to effectively defend PII using time- and resource-intensive manual processes.
You can take five main steps to reduce the risk of PII data loss or compromise.
1. Identify where PII is stored
First, find where your PII is stored and make sure it’s secure. In most cases, PII is funneled to an on-site or cloud-provided database and accessed as needed. If you have multiple PII storage destinations, it may be worth consolidating them into a single storage point and then creating redundant backups of this centralized solution to mitigate the impact of an attack or outage.
Once you’ve identified where personal information is being stored, ensure you have proper controls in place to prevent the accidental or malicious exfiltration or use of data.
2. Create a usage policy
Both CCPA and GDPR lay out specific use cases for PII and personal health information (PHI). As a result, it’s worth creating an internal usage policy that details exactly when PII can be used and under what circumstances. This policy must be applied broadly, meaning everyone in your organization — from front-line staff to C-suite executives — must adhere to PII usage expectations.
3. Enact an encryption solution
Encrypted data is safer data. By implementing robust encryption solutions — think at least AES-256 — you can meet due diligence requirements and reduce the risk that attackers will compromise data such as drivers license numbers, zip codes, passport numbers, or Social Security numbers — even if they manage to access secure databases. Encryption also offers a way to protect non-sensitive PII that could still result in regulatory non-compliance.
4. Deploy access management tools
Access management is also a critical component of sensitive data protection. Here, it may be worth deploying identity and access management (IAM) solutions capable of providing granular data access based on user role and the purpose of data use to reduce the risk of accidental or unauthorized transmission of data.
5. Monitor ongoing use and access
Data security and compliance isn’t fire-and-forget. Instead, it’s important to continually monitor use and access across your databases to confirm that current controls are working and make changes to security posture as regulatory expectations evolve.
Decrease liability by keeping your user’s data safe with Persona
When you use Persona for your identity verification, you can focus on what you do best and leave the PII up to us, knowing that we have it stored securely for you. Not having PII in your system means you don’t carry the liability of any potential breaches or leaked customer data, yet you have easy and reliable access to it whenever you need via Persona. Persona has all of the highest security standards, so you can know that your data is safe with us. We basically offer you GDPR and CCPA compliance right out of the box.
Accounts support your CCPA compliance
Accounts let us mirror users on your systems with the accounts on our system, which makes it easy for you to map the information that you need to find. In the event that an individual requests their PII, it will be easy to retrieve it from Persona because all information about that user will be stored under that user’s Account. Because Persona processes and stores individuals' PII on your behalf, you will have to request this data from Persona if you wish to have access to it exported.
How can I retrieve this data from an account?
- In the Accounts section of your dashboard, you can search for the Account you need via reference ID or name and see all the information that has been collected for that Account.
- You can also use the API to get the information you need from Persona whenever you need to.
- If you’d like to export the information for whatever reason, please reach out to us.
What is stored on the account?
How can I use tags to stay organized?
Tags let you organize your Accounts via custom values that can be associated with an Account. Tags let you model any information specific to your system inside Persona, which can give more context if you need to go back and look through the data. For example, you can create a tag called “frozen” to communicate that the individual may be frozen in your system. This could be useful to let an analyst know the state of an Account when working through Account recovery. There are many more ways you can use tags to organize information about your users — get as creative as suits you!
Retention policies, scheduled redaction, and archival of PII
If you have compliance or legal requirements for how long you can keep PII, you can set up automated PII removal on the cadence of your choosing. When an Account is redacted, all PII collected up until that point on that Account will also be redacted. The Account still exists and can be used to collect new information. When an Account is archived, it is effectively deleted from our system and can no longer be used. In both cases, all associated Inquiries, Reports, and Documents are also redacted (though the opposite is not true — redacting an inquiry will not affect the Account).
If you are interested in scheduled redaction or archival of PII on your system, please reach out to your representative at Persona to set up or email email@example.com.