PII has come a long way in a relatively short time, yet protecting it fully is like trying to shield a moving target. But sometimes the best way to choose a path forward is to peek at the past and learn from its evolution.
Humble Beginnings
It’s hard to think about PII, or rather Personally Identifiable Information, without also imaging computers, data storages, terabytes or even petabytes of files… But in reality, PII’s roots actually stretch all the way back as far as the mid-1970s, decades before the concept of a “home computer” even existed.
The United States’ Privacy Act of 1974 was the first government-mandated regulation to tackle what we now know today as PII. In its own words, this act required “agencies to comply with statutory norms for collection, maintenance, access, use, and dissemination of records”.
The Privacy Act of 1974 laid the foundation for future data protection regulations. But you have to fast-forward all the way to 2007 to find the first mention of information being “personally identifiable”.
This phrase, later to become commonplace all over the world, was first mentioned in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB). It would then receive standard usage in countless directives, including the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information.
In fact, we’ve already dedicated many an article to defining and discussing PII. Check out our other articles if you’re looking for useful examples or a further deep dive into the subject.
PII Goes Global
It wasn’t long until PII had become relatively mainstream. In the beginning, it was often the US government spearheading PII protection, but once word had gotten out, countless other countries and governing bodies followed suit.
Possibly the greatest example – or at least the one your typical “man off the street” knows exists – is the GDPR. The General Data Protection Regulation is a European Union regulation on information privacy in the EU and the European Economic Area (EEA).
First introduced in 2016, this landmark regulation works with European privacy and human rights laws to protect citizens’ PII both in and outside the Union. The GDPR’s goals are to enhance individuals’ control and rights over their personal information and to simplify the regulations for international business.
The GDPR also helped numerous other countries create and enact their own set of PII-related privacy rules, covering a wide range of topics. This includes everything from family and educational rights (FERPA) to securing credit card information (PCI DSS). There’s also South Africa’s POPIA, Brazil’s LGPD, and the CCPA in California, just to name a few.
Protecting PII Today
At this stage, we’ve arrived at what you could call the modern era of PII protection. In the early days, protecting PII often felt more like a scene from a spaghetti western, with outlaws and bank robberies popping up everywhere you look.
Today, things are much different. Pretty much every government enforces some version of data privacy and PII protection regulations. In fact, protecting PII has become such a crucial part of running any business, that organizations, institutions, universities, etc., all include their own set of rules and in-house standards for employees, administrators, and students to adhere to.
And all these sensitive-data-related provisions require modern tools to help ease the load of transmitting, storing, and remediating PII. It’s safe to say a simple filing cabinet with a safety lock isn’t quite cutting it by today’s data protection standards.
It’s nothing short of impossible in today’s high-paced and technological landscape to manage PII by hand. That’s why many entities choose to turn to AI and automated sensitive data discovery tools to ensure their practices follow every relevant regulation.
These sorts of tools come in extra handy as well when certain directives receive updates or amendments. Take the PCI DSS for example, which just went through a major overhaul, now in effect as of March 2024. Any PII protection software worth its salt was well aware of this update long before the changes even went into force.
An Automated Future
Given AI is already being used in so many tools today, it’s safe to guess the future of PII protection is going to involve automated processes and AI-driven algorithms even more. As the sheer volume of stored and transmitted PII continues to grow around the world, it would only make sense that protective technologies advance alongside it.
So, if you’re not on board yet, there’s still time to hop on the PII protection train, driven by data discovery tools and models trained by AI. There’s really no other viable solution for any company or institution looking to safeguard not only its own interests but, more importantly, the PII of its customers, employees, and users. And that’s a secure future we should all want to be a part of.
