The GDPR focusses on upholding the privacy rights of EU citizens-it aims to protect their data. Organisations must follow technical and organisational processes to ensure that the personal information that they process, collect and store (of their employees, customers, clients and users) is properly protected.
There is often confusion surrounding the definition of personal information and in order to comply with the regulation, it is important for organisations to know what personal information is and what it isn’t.
Variations of the term are being used. We hear of personal data, personally identifiable information (PII), sensitive personal data, data that directly identifies, data that indirectly identifies as well as online identifiers. So…it’s no surprise that many are left slightly perplexed.
Surprisingly, many organisations still strongly believe that they do not collect, store or process personal data in any form. This may be down to not understanding what personal data is or perhaps denial-who knows? However, come May 2018 those organisations who do process this data and are not compliant, are not going to be able to side-step the consequences. The GDPR does not allow for pleas of ignorance. Declaring that you ‘just did not know’ is not going to cut it, unfortunately!
We need some clarity to ensure that we have the correct practises in place to securely process and manage this data in an approach that complies with the GDPR.
On the 25 May 2018, the GDPR will replace the EU Data Protection Directive 95/46/EC (DPD) and aims to clarify many of the uncertainties that exist.
Variations of a term
Personal information and PII
Personally Identifiable Information (PII) is the American term and the term personal information is meant to be the EU equivalent of PII. Nonetheless, they do not correspond with each other exactly. All PII can be personal data but not all personal data is considered as PII.
Personal information in the context of the GDPR covers a broader range of information and some of this data is not considered PII . Therefore, to comply with the GDPR you need to look at the broader context of what personal data is.
PII has a limited scope of data which includes: name, address, birth date, Social Security numbers and banking information. Whereas, personal information in the context of the GDPR also references data such as: photographs, social media posts, preferences and location as personal.
PII is any information that can be used to identify a person. This could be a single piece of data or multiple pieces of data that when compiled, or seen together, can identify a person or distinguish one person from another.
Personal information is any information relating to a person, directly or indirectly. However, with reference to the GDPR meaning of personal information, the regulation also determines the type and amount of data that you can collect, process and store.
Sensitive personal data
The GDPR also references ‘sensitive personal data’ which requires extra special care and incorporates enhanced requirements for protection and processing of this data. This is usually attributed to health-related data, amongst others (racial or ethnic origin, political views, sexual preferences, religious beliefs etc.). It is the data which generates the highest risk and greatest harm to the individual if breached.
Genetic and biometric data categories under the GDPR are classified as sensitive personal data. These data types are now put in the category with other sensitive data and require enhanced security and protection (as the risk to the individual is much greater).
Explicit consent is needed to process this data too. Before processing this type of data, a privacy impact assessment (PIA) may be required to ensure that the processing procedures used are compliant, the risks are identified and properly managed.
What do the regulations say?
All data protection laws, globally, set out to protect personal data. The GDPR is focused on protecting the human rights of the data subject, in this case their right to privacy. The laws all define personal data slightly differently and organisations are left confused. Many regulations allow for varied interpretations of term.
The DPD says…
The current EU Data Protection Directive 95/46/EC (DPD) defines personal data as the following:
‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity;
Under the DPD, the definition is a little vague as to whether data such as IP Addresses, cookies and device IDs (for example) are classified as personal data. Some say they are, as cookie strings and IP addresses could possibly identify a person. Yet, others believe them not to be.
How about the GDPR…
The GDPR defines personal data as the following:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The GDPR helps to further clarify personal data. Under the GDPR, data previously not clearly classified as personal-now is. It clarifies that online identifiers and location data are all personal and must be protected as such. It is defined in the GDPR under Personal Data and Unique Identifiers.
The GDPR also defines Pseudonymous Data, Genetic Data and Biometric Data.
Can personal data become non-personal data?
If personal data is pseudonymised or encrypted does this convert it to non-personal data? This is a question that is often pondered.
The answer is no, it doesn’t. Encryption does not convert personal data to non-personal data. However, it does remove the ability for the data to identify a person. As the data can no longer be used to identify a person, the organisation that used the technical measure to pseudonymise the data is often afforded some regulation leniency. Particularly with regards to data breach notification requirements. This flexibility is due to the fact that the risk and harm to the individual is substantially reduced, as the data (although in breach) can no longer identify any person. So…Encrypting your data seems to be the answer!
Furthermore, other GDPR provisions may not be as stringent if the data is encrypted because the data that is pseudonymised is unlikely to create risk or harm to the individual. By employing technologies that encrypt the data or render it pseudonymised, organisations are able to manage compliance responsibilities and better manage their risk.
It’s important to remember that pseudonymous data is still classified as personal data and falls within the constraints of the GDPR regulation.
More personal data exists now than ever before
What once was not defined as personal data, now is: a customer number held in a cookie, a device ID, an IP address or any unique device identifier. It is unlikely that your organisation does not process personal data at all!
We should not be trying to hide behind variations in a term or a definition. The differences with regard to the terms used are not huge. It’s important to remember that personal data under the GDPR clarifies much more information than it did under the DPD and incorporates more than the American definition of PII. You need to address the broader context-all the data categories and their specific requirements to type, storage, collection and processing. If anything, presently and going forward, there is more personal data that we need to protect- thus the responsibility is greater.
It is becoming more challenging to comply with privacy standards but utilising tools and technologies (the appropriate operational and technological measures) for protecting process and information makes it much easier to achieve.
By taking a data-centric approach to secure the data directly and make it unidentifiable with encryption or pseudonymisation removes the risk and harm to the individual. Moreover, you get to relax a little more knowing that your data is confidential, no matter what happens or where it travels.
After a little consideration, you may be surprised at the vast amount of personal information that you collect, process and store. If unsure, perhaps it’s best to just encrypt it is all!