Identifying and Categorizing PII to Enable Data Privacy Compliance
Sagence’s systematic approach to identifying and categorizing Personally Identifiable Information (PII) enabled an insurer to meet regulatory provisions under the California Consumer Privacy Act (CCPA).
Our client, a middle market insurer that does a significant amount of business in California was required to comply with CCPA. The challenge was they had limited documentation on their legacy data warehouses and no method to programmatically assess where Personally Identifiable Information (PII) is stored. Additionally, the client did not have a plan to address consumers queries about their PII that could arise under the law.
The client identified PII data elements that are collected during its business processes. Our team worked with client reporting and data subject matter experts to identify all potential variations and aliases of those data elements in all systems. We then used metadata to perform searches of the target systems to identify possible PII locations. Based on this analysis, the team was able to query the tables and columns in order identify and document both the location and classification of each PII data element.
We also advised the client on an approach to meet the statutory requirement of providing customers with the PII collected during the course of business. We proposed different search and extraction methodologies that could be employed to quickly respond to requests arising from CCPA.
A comprehensive index and glossary of PII data in previously undocumented systems allowed for compliance with CCPA specific legislation. Documentation also identified and documented other non-CCPA related PII to allow the client to comply with other potential privacy legislation in the future.