Which practice best safeguards PII?

Limiting who has access to PII embodies the principle of least privilege: only people who need the data to do their job should be able to view or handle it. This directly reduces the number of potential exposure points and makes it much harder for unauthorized or inadvertent access to occur. In practice, you implement controls like role-based access, strong authentication, and regular reviews of who truly needs access, along with monitoring and auditing to catch any overreach. Locking it up and storing it securely are important parts of protection, but they don’t by themselves restrict who can view the data once someone has access or is using a system. Shredding is about deleting data you no longer need, which is good for minimizing data you hold but doesn’t address access to data you already retain. So restricting access to those who need it is the most effective single safeguard for PII.