Data breaches are an everyday occurrence that demonstrate no enterprise or individual is impervious to vulnerabilities. In 2015, there were 781 known data breaches in the U.S., the second highest year since the Identity Theft Resource Center began tracking them in 2005.[1] Between this influx of breaches and rapidly evolving and emerging privacy laws, it is no wonder enterprises are struggling to protect and effectively manage personally identifiable information (PII).

The sources of PII maintained by enterprises range from internal employee information to customers and vendors, and are pervasive because PII likely impacts a significant part of the enterprise’s records retention schedule (RRS). Identifying what records are subject to PII laws is fundamental to any strategy for effectively managing PII. While this task seems simple enough, making such a determination is ultimately dependent upon the jurisdiction(s) that are relevant to the PII. For enterprises that operate in various U.S. states and/or internationally, it becomes increasingly complex to reconcile requirements across different jurisdictions.

To provide initial guidance on identification and management of PII through an RRS, I’ve provided a few examples of U.S. privacy laws that may impact a company, followed by a checklist to help with this process...

Read more at:

Jennifer ChadbandAuthor: Jennifer Chadband, Senior Records Analyst at Zasio Enterprises, Inc.