Personal Data, PII and GDPR Compliance

February 1, 2018

  The countdown for the European Union’s General Data Protection Regulation (GDPR), which will go into full effect in May 2018, is coming to a close. GDPR aims to solidify the data privacy rights of EU residents and the requirements on organizations that handle customer data. It introduces stern fines for data breaches and non-compliance […]

[caption id="attachment_6094" align="aligncenter" width="6500"]GDPR [/caption]

 

The countdown for the European Union's General Data Protection Regulation (GDPR), which will go into full effect in May 2018, is coming to a close. GDPR aims to solidify the data privacy rights of EU residents and the requirements on organizations that handle customer data. It introduces stern fines for data breaches and non-compliance while giving people a voice in matters that concern their data. It will also homogenize data protection rules throughout the EU. The current legislation, the EU Data Protection Directive was enacted in 1995, before cloud technology developed innovative ways of exploiting data; GDPR aims to address that. By enacting strict regulations and stiffer penalties the EU hopes to boost trust within a growing digital economy.

Despite the fact that GDPR came into force on 24th May 2016, organizations and enterprises still have until the 25th of May 2018 to fully comply with the new regulation. A snap survey of 170 cybersecurity pros by Imperva revealed that While a vast majority of IT security professionals are fully aware of GDPR, less than 50 percent of them are getting everything set for its arrival. It went on to conclude that only 43 percent are accessing the impact GDPR will have on their company and adjusting their practices to comply with data protection legislation. Even though most of the respondents we based in the United States, they are still likely to be hit by GDPR if they solicit and/or retain (even through a third party) EU residents’ personal data.

Remaining compliant with GDPR demands, among several other things, a good understanding of what constitutes ‘personal data’ and how it differs from ‘personal identifiable information’ or PII.

What is Personal Data In the GDPR Context?

The EU’s definition of personal data in GDPR is markedly broad, more so than current or past personal data protection. Personal data is defined as data about an identifiable or identified individual, either indirectly or directly. It is now inclusive of any information that relates to a specific person, whether the data is professional, public or private in nature. To mirror the various types of data organizations currently collect about users, online identifiers like IP addresses have been categorized as personal data. Other data such as transaction histories, lifestyle preferences, photographs and even social media posts are potentially classified as personal data under GDPR. Recital 26 states:

To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

This personal data term directly applies to all the 28 states in the European Economic Area (EEA)

Is Personally Identifiable Information (PII) the Same as Personal Data?

The term ‘Personally Identifiable Information’ doesn’t appear anywhere in the GDPR; however, it does have a definite meaning in US privacy law. Therefore the term in itself is likely to cause confusion to anyone seeking to comply with GDPR. For a concept that has become ubiquitous in both technological and legal colloquy, PII is surprisingly hard to define. In a nutshell, PII refers to any information that can be used to distinguish one individual from another. This includes any information that can be used to re-identify anonymous data. This can solely refer to data that is regularly used to authenticate/identify an individual, this may be averse to information that violates the privacy of on individual, that is, reveal sensitive information regarding someone. The US interpretation of the term is undeniably incongruous with what is relevant for a proper GDPR assessment since it pre-selects a set of identifying traits.

To put it bluntly, all PII can be considered personal data but not all personal data is Personally Identifiable Information. Developing a solid GDPR compliance program demands that IT architects and marketers move beyond the restricted scope of PII to examine the full spectrum of personal data as defined by the EU.

Handling Personal Data in Accordance With GDPR

The first step to GDPR compliance in matters pertaining personal data is undoubtedly the risk assessment of how existing data is being stored and accessed, the level of risk attached to it, and whether it contains any PII. The data might be stored on server file systems, databases or even on an end user’s physical storage or cache. Becoming GDPR compliant will mean that you are not only protecting more data types in the future but will also involve dissipating more effort in the identification of existing data that initially wasn’t considered personal data. It is important to note that you cannot limit your scope to the data you hold as if it were a closed system. Nowadays, people typically interact with interconnected systems, and GDPR mirrors that. In such scenarios, organizations should focus outward, and infer who in their ecosystem can connect with an attribute to another, from the multiple varying paths to re-identification within their ecosystem.

Additionally, GDPR requires that a document ‘opt-in’ consent must be provided by each individual. The consent has to explicitly pinpoint the data collected, how it is going to be used and how long it will be retained. Organizations also have to provide participants with an option to remove their consent at any given time and request their personal data be permanently deleted. Participants should have the ability to get factual errors amended, and even request their personal data for review and use.

The General Data Protection Regulation sets a new standard in the protection of personal data. Its efforts aim to grant data subjects more control over their data while ensuring the transparency of operations. FileCloud provides a set of simple features that can help organizations meet GDPR requirements.

Click here for more information.

Author: Gabriel Lando

Image courtesy of freepik.com

By Team FileCloud