How do you conduct a PII audit?

For almost every organisation, data is becoming an increasingly valuable asset. Companies have more of it, they’re more reliant on it, and they’re investing more in collecting, storing, securing, and analysing it. For hackers, the same principal applies – there are a growing number of opportunities to steal valuable information from organisations, and the investment in and sophistication of these hacking efforts have increased commensurately.

For most companies, the past few years have been a period of rapid change in the data space, with many (understandably) failing to enhance their data security in line with the increased value of their data. Data security is often an afterthought – it requires niche, highly specialised skillsets, it’s hard to quantify the ROI, and it’s often hard to see why hackers would want your first-party data. The risks, however, particularly when it comes to personally identifiable information (PII) are too hard to ignore.

What is PII (personally identifiable information)?

There’s no set legal definition of PII – its definition is dependent on industry standards and interpretation. Broadly speaking, information is regarded as personally identifiable if it can be used to identify an individual. There are obvious examples of this such as credit card details or personal health records, but at other times there’s some ambiguity as to what constitutes PII. For example, medical records attached to a person’s surname and postcode could provide a malicious agent with enough information to identify who that person is, depending on how many people live in that postcode or the popularity of the surname. A good policy is to treat these borderline cases as though you’re dealing with PII.

Why protect PII?

If you’re having trouble convincing your CEO to invest in IT security, Facebook’s recent $5b fine for exposing the personal information of 763m users is a good example to point to. In most jurisdictions, individuals have the right to sue a company for failure to protect PII. To protect themselves against class action suits, companies are required to meet the data protection standards of their industry, their local jurisdiction, and that of any jurisdiction their customers reside in. They’re also obliged to meet data privacy requirements stipulated in commercial contracts, i.e., they need to meet the standards enforced by any government agency or other business they work for. External company audits will review the extent to which these overlapping sets of standards have been complied with.

How to conduct a PII audit

Complying with multiple sets of ambiguous and constantly evolving standards is complex for any business, but the costs of non-compliance warrant paying significant attention to how you’re managing your data. Here’s how you might approach an internal PII compliance audit:

Data identification and classification

Using data discovery software, you can create an inventory of all information held within the organisation and identify where it’s stored and who can access it. These tools can also auto-classify this information as PII / non-PII and point you to relevant standards governing the type of information in question (e.g., health records, financial information etc.)

Risk assessment

You’ll need to assign a risk rating to each piece of information, accounting for its sensitivity, value, the costs of a breach, and the likelihood of it being breached. Benchmarking software can be used to help make these assessments, which are then used to prioritise remediation efforts.

Technology & process review

A review of data security documentation and interviews with staff on policies and processes. You may also want to conduct a review of your tech stack to identify weaknesses in how it’s configured.


Create a prioritised list of recommendations and add their implementation to your roadmap.


As you make changes to your data security systems and processes, you’ll want to train your staff on how to comply with them effectively without significantly adding to their workload.

Do I need external help?

Conducting an effective PII audit requires a very specific set of skills, experience, and technology. External auditors can provide this, as well as a critical outsider’s perspective on your company’s data management practices. Seeking out an external provider that specialised in PII audits is (for most organisations) the only way to conduct one both efficiently and comprehensively.

How can we help you?