Secure, Identify, Tag, Control, Audit, Remove
When dealing with PII in Content, the strategy required is slightly different from dealing with PII in Data.
Feith Systems developed The SITCAR Model for privacy control and compliance projects. The model defines the six major steps and concerns when dealing with privacy in content systems, and clarifies how Feith Systems uses our software to help clients solve the privacy in content problem.
Security should always come first. Other steps in privacy control mean very little absent adequate security. This means the steps we’ve come to know, like Encryption in Motion and at Rest, and using Alerts to notify of unusual downloading or viewing behavior.
It also means steps that not all organizations have adopted, like ensuring that your Content Repositories vendors undergo adequate code review, threat modeling, and can ensure Data Integrity.
PII that you don’t know that you have, that you have not identified, can constitute a major risk. If you don’t know that you have it, it will be hard to control. Taking inventory of your systems and the PII therein is key.
Data Discovery technologies, like Feith’s, can help you determine where to focus your energy, and can help you with Data minimization / ROT reduction before you begin tagging that data.
Feith uses our Auto-Categorizer engine for this step, helping us identify basic structured information like Phone Numbers, SSNs, as well as more complicated unstructured PII by identifying records by type (e.g. Background Investigations, Income Documents).
After you’ve identified the relevant content, the next step is to Tag it. Tagging the PII with Metadata values allows us to deal with it programmatically. Without tags, all PII would need to be dealt with manually. Those tags can include the sensitivity level of the information, the nationality of the data subject, or the category of information.
Having tagged the content makes it possible to control and secure it. Feith builds roles with access to only certain tags. A kind of Security Keyword profile. So, for example, you may want to limit documents tagged EU Data Subject to employees in the EU — by building a profile with access to that keyword, you can control that PII.
Auditing is made up of a few different parts:
- Provable data integrity and data accuracy
- Tracking employee access and actions
- The ability to respond to data requests
- The ability to document compliance
Feith is able to do this, because they audit every field in system — a requirement of the DoD 5015.02 standard.
Last but not least is the ability to remove the PII. For Feith, this means being able to handle Data Retention and Records Management. It also means being able to Securely and Automatically Redact information, which makes it possible to keep up with Data Subject Right to Forget requests.
Much of the information that you collect about your clients, partners and employees constitute PII. Not only are there laws and regulations that define how you control and manage that information, but that PII can also constitute a legal risk to you. PII, or Private Identifiable Information, that is leaked in a breach or inappropriately maintained can come with large fines or damage to your brand.
Feith’s SITCAR model can help you take control of PII in your content. If you’re interested in learning more about how Feith Systems has helped organizations like yours deal with Privacy in their Content, reach out today.