What Is PII?
First, some background. Personally, Identifiable Information is data that an organisation stores which can be used to identify a specific individual. What exactly that means depends on what legal regime you’re looking at. In the EU context, the General Data Protection Regulation (GDPR) defines PII very broadly, so that IP addresses, phone numbers, mailing addresses, and even analytics data are all considered PII.
Organisations are interested in securing PII because it is a source of business value and because they are liable if hackers are able to access PII. In the UK, that liability is defined in the Data Protection Act of 2018 (DPA). That law outlines the penalties for companies who fail to protect PII, and requires companies dealing with PII to lay out processes for securing it. For British companies, the GDPR and the DPA combine to define the minimum PII security, and what a security policy must cover.
In the cloud context, PII carries additional regulatory concerns. However, as a recent survey indicated, 97% of US banks are developing or deploying a cloud strategy. So while regulation is obviously a concern, it’s a small obstacle and not a total roadblock. A proper cloud policy that addresses security is behind every successful move to the cloud.