The sweeping General Data Protection Regulation (GDPR) goes into effect on May 25. To comply with GDPR, organizations must follow certain steps to ensure that the personal information that they process, collect, and store is properly protected. But unfortunately, there is often confusion about what defines personal information. To comply with the regulation it is important that organizations know what personal information is and what it isn’t. This guide can point you in the right direction.
The personal data conundrum
To protect data appropriately, we must understand what we are protecting or need to protect. The GDPR demands that all organizations — wherever in the world they are located — processing personal information of EU citizens do so in compliance with the regulation. This means that all personal information must be securely processed and managed.
Variations of the term are being used. We hear of personal data, personally identifiable information, PII, and sensitive personal data. Also, data that directly identifies, data that indirectly identifies as well as online identifiers. It’s no surprise that we are left muddled.
What is quite surprising though, is that in this data-age, how many organizations strongly believe that they do not collect, store, or process personal data in any form! This may be attributed to mere ignorance (not understanding what it is) or perhaps denial — who knows? However, one sure thing is, come May 25, those organizations that do process this data and are not compliant will not be able to side-step the ramifications. The regulation leaves no room for pleading ignorance. Declaring that you “just did not know” is not going to cut it.
We need some clarity to ensure that we have the correct practices in place to securely process and manage this data in a manner to comply with the regulation. Alternatively, we may decide that it is not necessary to keep this data and remove it from the business process completely. Remember…collect and process only what you need for business function (and have acquired explicit permission for). If you don’t need it, don’t collect it! This makes your job so much easier.
Personal information, sensitive information, and PII
Personally identifiable information, or PII, is really the American term. Personal information is meant to be the EU equivalent of PII. However, the two do not always correspond with each other precisely. So, all PII is personal data but not all personal data is PII. Personal data in the context of GDPR covers a broader range of information. Therefore, to comply with GDPR you need to look at the broader context of what personal data is (not only PII) and that includes PII as well as other forms of personal data.
To throw a spanner in the works, GDPR also references “sensitive personal data,” which requires extra special care that incorporates enhanced requirements for protection and processing. This is usually attributed to health-related data, among others. It is the data that generates the highest risk and greatest harm to the individual if breached.
Is it all in the name? PII is any information that can be used to identify a person. This could be a single piece of data or multiple pieces of data that when compiled or seen together identify a person or distinguish one person from another.
Personal information is any information relating to a person, directly or indirectly. However, with reference to the GDPR meaning of personal information, it also determines the type and amount of data that you can collect, process, and store.
All data protection laws, globally, set out to protect personal data. GDPR is focused on protecting the human rights of the data subject, in this case, their right to privacy. Confusion sets in as all the laws depict the definition of personal data slightly differently, leaving room for varied interpretation. Organizations are left confused as to what personal data is and isn’t. Can personal data become non-personal data if it is pseudonymized or encrypted? Is personal data and PII two references to the same thing?
What does the DPD say?
The current EU Data Protection Directive 95/46/EC (DPD) defines personal data as the following:
‘Personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.
Under DPD, the definition it is a little vague as to whether data such as IP addresses, cookies, and device IDs (for example) are classified as personal data. Some say they are, as cookie strings and IP addresses could possibly identify a person. Yet others believe them not to be.
How about GDPR…
This is one example where the GDPR is clarifying things further. Under the GDPR, this data is classified as personal. It clarifies that online identifiers and location data are all personal and must be protected as such. It is defined in the GDPR under Personal Data and Unique Identifiers.
The GDPR defines personal data as the following:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
GDPR also defines pseudonymous data, genetic data, and biometric data
Pseudonymous data is a little more interesting. It is still classified as personal data and falls within the constraints of the regulation.
So, the answer to the question “can personal data that is encrypted become non-personal data?” is — no, it can’t. Encryption does not convert personal data to non-personal data. However, it does remove the ability for the data to identify a person. As the data can longer be used to identify a person, the organization that used the technical measure to pseudonymize the data is offered some regulation leniency, particularly with regards to data breach notification requirements. This flexibility is because the risk and harm to the individual is substantially reduced, as the data (although in breach) can no longer identify any person. Encrypting your data seems to be the answer!
Furthermore, other GDPR provisions may not be as stringent if the data is encrypted because the data that is pseudonymized is unlikely to create risk or harm to the individual. Through employing technologies that encrypt the data or render it pseudonymized, organizations are able to manage compliance responsibilities and better manage their risk.
Genetic and biometric data categories under the GDPR are classified as sensitive personal data. These data types are now put in the category with other sensitive data and require enhanced security and protection (as the risk to the individual is much greater). Explicit consent is needed to process this data, too. Before processing this type of data, a privacy impact assessment (PIA) is likely necessary to make sure the procedures used to process this data are compliant and that the risks are identified so that they can be properly managed. All sensitive data must comply with enhanced security and processing provisions.
The GDPR will replace the EU Data Protection Directive 95/46/EC (DPD) and aims to clarify many of the uncertainties that exist.
Some examples of personal data include (but not limited to these):
|Linked personal data examples (directly linked to a person)||Linkable personal types (combine to identify a person)||Sensitive (special personal data types)|
|Full name||First name only||Biometric data|
|Date of birth||Last name only||Racial data|
|Residential Address||A portion of the address (country, street, postcode etc.)||Health data|
|Telephone number||Age Category not specific (20-30 years or 40-60 years etc.)||Ethnic origin|
|Email Address||Place of work||Political opinions|
|Passport number||Position at work||Religious or philosophical belief|
|Identification number||IP address||Trade union details|
|Drivers Licence number||Device ID||Genetic data|
|Social security number||Sexual preference|
Privacy regulations, not only GDPR, are hitting home hard
There is a fine line between what is and isn’t personal data. What once was not defined as personal data now is, for example, a customer number held in a cookie, a device ID, an IP address or any unique device identifier. It is unlikely that your organization does not process personal data.
We should not be trying to hide behind variations in a term or definition, though. The differences with regard to the terms used are not huge. You just need to remember that personal data under the GDPR clarifies much more information than it did under the DPD and incorporates more than the American definition of PII. You need to address the broader context — all the data categories and their specific requirements to type, storage, collection, and processing. If anything, there is more personal data that we need to protect, so the responsibility is greater.
It is becoming more challenging to comply with privacy standards. Though utilizing tools and technologies (appropriate operational and technological measures) for protecting process and information makes it much easier to achieve.
By taking a data-centric approach, securing the data directly, and making it unidentifiable through encryption or pseudonymization removes the risk and harm to the individual. You also get to relax a little knowing that your data is confidential — no matter what happens or where it is.
By knowing the type of data that you process you can put the appropriate measures in place to protect it. You will be surprised at the vast amount of personal information that you collect, process, and store! If unsure, perhaps it’s best to just encrypt it is all!
Photo credit: Shutterstock