There has often been confusion around what is Personally Identifiable Information under GDPR and how businesses can protect themselves against getting hit with a fine for lack of compliance. At times though it is difficult to distinguish what personally identifiable information (PII) is in general and what your business needs to do to remain compliant. Thankfully, we’ve created this comprehensive guide that can help you understand what PII is and how you can maintain compliance with GDPR’s rules that pertain to PII.
GDPR in a Nutshell
The General Data Protection Regulation (GDPR) are data protection laws that apply to all companies who have any digital interactions with EU citizens. GDPR was originally created to replace the 1998 Data Protection Act and bring about a more uniform and streamlined data security policy that protects user data in the future.
In the full text of GDPR, there are 99 articles setting out the rights of individuals and obligations placed on organizations covered by the regulation. The rights for individuals include allowing people to have easier access to the data companies hold about them, a new fines regime and a clear responsibility for organizations to obtain the consent of people they collect information about.
Companies that fall under the GDPR umbrella are accountable for their handling of people’s personal information. Companies that have more than 250 employees must ensure that they document why a person’s information is being collected and processed.
They must also include descriptions of the information that’s being held, how long it’s being kept for and descriptions of technical security measures in place. This is not to mention that these businesses are required to obtain consent to process data in some situations. In short, GDPR compliance is not something to take lightly and PII should never be something that is dismissed as unimportant.
The General Definition of PII
Even though the definition of PII seems to be straightforward, it is met with many different interpretations which can make compliance more confusing than it should be. For instance, the US Office of Privacy and Open Government defines PII as:
“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
The broad definition of PII as defined by GDPR, on the other hand, can create security and privacy challenges for any company, worldwide, that processes or stores personal data of EU residents. Everything from Social Security numbers, mailing or email addresses, and phone numbers have most commonly been considered PII, but technology has expanded the scope of PII considerably. This means that more modern interpretations of PII can also include sources of data such as an IP address, login IDs, social media posts, digital images, geolocation, biometric and even behavioral data.
What is GDPR’s Definition of Personal Data
GDPR’s definition of personal data is much broader than any country’s current or previously existing personal data protection. It’s important to know that in the GDPR, the term PII is never mentioned. This is because personally, identifiable information is a term primarily used in the US, whereas the EU equivalent that is found in the GDPR is ‘personal data’.
In GDPR Article 4, the GDPR gives the following definition for “personal data” as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This definition shows that any information that relates to a specific individual, whether that data is private, public, or professional in nature is protected under GDPR. GDPR Article 4 also applies to names, addresses, and financial information, but anything that could identify the individual. In short, if the data can be traced to a specific individual, it’s designated as PII under GDPR.
What Rights Do Users Have For Their PII Under GDPR?
Under the GDPR, individuals are given the keys to the kingdom when it comes to their personal data (i.e. their PII). Individuals are given full control over what happens with their PII including, but not limited to, the ability to request that it be deleted. They can also request to get factual errors corrected, gain access to their stored personal data, and even export it for their personal review and use if they wish.
GDPR’s personal data rules grant individuals more rights regarding how companies that handle their PII can use it while imposing heavy fines for non-compliance and data breaches if any PII is exploited. These fines can be up to 4 percent of a company’s yearly revenue, which can be potentially billions of dollars for companies with a large market share. The GDPR also requires that companies report data breaches within a 72-hour window which is another legislation caveat that ensures greater corporate transparency to individuals at all times.
Does My US-Based Company Need to Comply With GDPR?
Even if your company doesn’t do business with the EU at the moment, you may in the future. With data privacy compliance regulations such as CCPA being enacted in the US, stateside businesses are being put in a position where compliance is a requirement, not an option.
If your company is working in the EU or with GDPR-impacted data, you’ve probably felt the sting of GDPR in some way since the regulations were enacted in May 2018. GDPR’s personal data protection laws have made it so that security teams must ensure that any PII that comes in their possession at any point (whether stored or not) is adequately protected and that the proper reporting processes are in place at all times.
What organizations are required to comply with GDPR must understand is that they need to have a lawful purpose to store and process the sensitive personal data of a data subject before carrying out that action. In other words, they must receive documented “opt-in” consent from every person (or their legal guardian) every time data is being passed by the organization. The consent must explicitly identify the data collected, what it is used for, and how long it will be kept.
Organizations must maintain detailed reports of when consent to store data was given and thoroughly detail the security precautions they put in place to deter a data breach. They must also notify the individuals if their data is being used and the manner in which it is being processed. If the organization that stores an EU individual’s PII does not have the correct processes in place to manage it in a secure manner, that citizen has the lawful right to request that their information is securely deleted.
Who is Affected When PII is Exploited?
Before GDPR was enacted, if an individual’s PII fell into the hands of a hacker by means of a company data breach, the individual shouldered 100% of the financial blow. Following the commencement of GDPR, one could argue that the companies who have been breached are the ones that are getting more financially drained in more ways than one. This is because GDPR is holding these companies accountable for their inaction towards adequately protecting their user’s PII and hitting them with hefty fines for their cybersecurity procrastination.
Even with these hefty fines pushing global companies towards compliance, over 4.1 billion records were exposed due to data breaches in the first six months of 2019 alone. One of the largest breaches in 2019 came from First American Financial Corp., where 885 million records were exposed online including bank transactions, social security numbers and more.
Another notable company that made headlines for massive data breaches in 2019 was Facebook. The social media platform had 540 million user records exposed on its Amazon cloud server followed the exposure of over 267 million Facebook usernames, Facebook IDs, and phone numbers in late December 2019. This stolen PII is potentially worth many billions of dollars to hackers and businesses and individuals are both taking the financial hit from each devastating breach.
Best Practices for Keeping PII Safe
The role of securing PII falls on both individuals and businesses. Many individuals are using mobile devices to carry out their daily lives which makes the act of keeping PII safe a full-time job not only when you’re at the office but on the go as well.
Best Practices for Individuals
Even if you’re not a multi-millionaire with a bank account to back it up, hackers will still target your PII to sell it on the black market. This is why individuals must not solely rely on businesses to protect their PII and should always use best practices to ensure their personal data doesn’t fall into the wrong hands.
Use Strong Passwords
Most people believe that using a long password with a crazy, complex mixture of upper case letters, symbols, and numbers is what will keep hackers from stealing their PII. This is not only wrong, but it’s also not user-friendly for you in the long run.
Instead of sticking with an uber long password of jumbled letters and numbers, stick to using a password that has a minimum of eight characters and a maximum length of 64 characters. If you ever forget your password or have had the same password for a year, don’t think twice about resetting it. Lastly, if you get wind of a data breach from a company where your password has been stored on, make sure to reset it immediately to keep your PII safe.
Clear Cookies From Your Web Browser Periodically
Clearing your cookies from your web browser is one way to detract hackers from being able to access your PII and steal your identity. Clearing your cookies every so often is incredibly effective and will reduce the amount of personal information on your device that could lead to data loss. Without cookies, hackers would be prompted to enter your login credentials every time they browse through a site which would make it more difficult for them to steal your identity.
Best Practices for Businesses
In 2019, the data breach lifecycle of a malicious or criminal attack took an average of 314 days to resolve. Given the changing landscape of privacy regulations, businesses must adapt and stay compliant. Here are a few best practices for complying with GDPR and protecting the PII of individuals who frequent your establishments.
Only Collect the PII You Need
If you are an organization that collects PII then it’s your responsibility to ensure the proper protocols are in place to protect it. Before you even consider collecting PII, your business must assess what type of PII that it is collecting. By conducting a comprehensive survey, your company can find out where and how your company is storing PII and how you can secure it.
Encrypt the PII You Store
Whether the PII is at rest or in motion throughout your organization, make sure that it is encrypted at all times. Encrypting PII can save individuals from damaged credit and identity theft, and can shield your organization from lost revenue, noncompliance fines or reputational damage.
Keeping PII Secure in the Future
By placing an emphasis on securing your customer’s PII in compliance with GDPR, your business can successfully facilitate an improved customer experience while protecting their privacy. Not only does this help boost customer loyalty and trust, but it helps in future-proofing your tech investments against evolving data privacy requirements.