It is simpler to make certain security and privateness controls are sufficient and justified when data has long been categorised and flagged as personally identifiable information and facts (PII). The RSI security web site breaks down the actions in some depth, but the process in essence goes such as this: https://fismacomplianceinusa.blogspot.com/2024/08/web-application-security-testing-in-usa.html