With GDPR coming into force on 25th May later this year, there is a lot of confusion as to what constitutes Personal Identifiable Information (PII) and what it means with regard to protection. Personal Identifiable Information, comes in two forms as defined in the regulations:
Firstly, personal information is any information relating to an identifiable person who can be directly or indirectly identified. This ambiguous definition provides a multitude of personal identifiers including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. It applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. Personal data that has been assigned a code can also fall within the scope of the GDPR depending if it can identify a person.
Secondly, personal identifiable information can be sensitive personal data “special categories of personal data” that include genetic data and biometric data where processed to uniquely identify an individual.
All information whether personal or sensitive must be protected in line with the guidelines and abide by the seven principles of the new regulations.
Technology platforms have changed the way businesses operate, governments legislate, and individuals relate to each other. The internet, mobile phones, social media, and e-commerce has created an explosion of data. This is often called ‘Big Data,’ and it is collected, processed and analysed by companies and shared with third parties, to gain a better insight into their customers.
GDPR legislation comes into to place this year, and its aim is to provide a set of standardised data protection laws across Europe. In article 4 it states: “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Information has tended to be treated as an unclear mass without adequate understanding of its content. With the advent of GDPR this can no longer continue and organisations must review, separate and protect all personal information.
GDPR changes the definition of personal data and also requires stronger consent requirements, giving data subjects ‘the right to be forgotten,’ and some larger organisations will have to appoint data protection officers.
Central to the new law is that organisations and businesses have to be fully transparent to the owners of the information about how they are using and safeguarding personal identifiable data, and be able to demonstrate accountability for their data processing activities.
What can companies do to protect their customer’s data? You need to ensure you have adequate systems and software in place to ensure your business or organisation is compliant. Understanding what personal data you are holding is key. You also need to be aware of what is happening with that information, if it is used externally. For example, social sharing buttons and cookies on your website. Although they are implemented by third parties, they consider themselves as the processor and you as the controller. It is your responsibility to ensure that these are GDPR compliant.