Blog Post
What is PII for GDPR?
The General Data Protection Regulation (GDPR) requires companies across the EU to protect the privacy of, and safeguard the data they keep on, their employees, customers and third party vendors. Companies are now under legal obligation to keep this personally identifiable information (PII) safe and secure.
But first, we need to understand what PII is — and when data retention is and is not allowed under the GDPR.
GDPR PII definition
PII or Personal Identifiable Information is any data that can be used to clearly identify an individual. Some examples that have traditionally been considered personally identifiable information include national insurance numbers in the UK, your mailing address, email address and phone numbers. As technology has improved, the scope of PII has grown considerably to now include IP addresses, login ID details, social media posts and digital images, as well as geolocation, behavioral and biometric data.
Companies are now faced with more challenges in relation to security and privacy than they have ever had before. GDPR has laid out a specific set of regulations that deal with this broad and expanding definition of PII. For a clear understanding of the specifics of the GDPR, check out this recent primer to understand if you store or process PII on EU citizens, what steps you have to take to become GDPR compliant and where to get started with implementing data retention.
GDPR also references sensitive personal data. The legislation requires organizations that store this kind of data to ensure that it is kept securely via encryption and meets several strict compliance requirements.
The impact of GDPR on business
The new regulations are firmly putting the consumer in the driving seat and placing the onus of compliance, and proving said compliance, on the companies and organizations that collect and handle that data. No action means non-compliance, which isn't an option for any business that wants to do business in the EU, either now or in the future.
Listed below are some common questions about how the GDPR will impact your business:
What is considered PII under the GDPR?
Under the GDPR, Personally Identifiable Information (PII) now includes IP addresses. It also includes:
- Names
- Addresses
- Financial information
- Login IDs
- Biometric identifiers
- Video footage
- Geographic location data
- Customer loyalty histories
- Social media
What are users’ rights for PII and Data Retention under the GDPR?
EU citizens now have more rights and policies in place to ensure secure data retention under the GDPR. Organizations must have a lawful purpose to store and process the sensitive personal data of a data subject. There must be a document of explicit consent from the individual in regards to what data is being collected, for how long and what it is being used for.
If an organization that stores data does not have the correct processes in place to manage it in a secure manner, then citizens have the lawful right to request that their information is securely deleted.
Organizations must maintain detailed reports of when consent to store data was given, as well as the security precautions in place, and they must notify the individuals if their data is being used and the manner in which it is being processed.
What happens in the event of a Data Breach?
In the event of a data breach, all affected parties must be notified in no more than 72 hours. All data breaches must be reported to GDPR regulators and even small quantities of data loss or minor cyber instances must be communicated within the specified time frame.
Who does the GDPR apply to?
GDPR applies to every single business and organization within the EU. Even if your business is located outside of the EU but still offer services and products to EU citizens in Europe then you are subject to its laws. For this fact, businesses must appoint a Data Protection Officer (DPO) who is solely in charge of GDPR compliance. Strong penalties have been outlined with fines as large as 4% of the organisation's global yearly revenue or 20 million Euro, whichever sum is the greatest. The biggest data breaches and the shocking fines (that would have been) sheds light on what the potential harm a data breach would have on a business by not adhering to GDPR. The days of this just being an IT issue are no longer valid. The implications for the whole business must be communicated from the management down, especially with the way in which companies handle marketing and sales data.
The impact on customer engagement
The conditions around obtaining consumer data are stricter under the new GDPR than ever before because the data subject can withdraw their consent for PII data retention at any time and the onus is on the company to obtain separate consents for different processing activities. What this means is that companies will have to prove that the individual agreed to a certain action (for example, to receive their monthly newsletter). It is no longer enough to assume or add a disclaimer and simply providing an opt-out is not enough. Sales and Marketing teams now have to change how they operate which will result in a significant change to business policies, procedures and forms to make sure they are compliant with double opt-in rules and email marketing best practices.
How Enterprise Recon helps you find sensitive data
Ground Labs’ mission is to help companies of all sizes, from multinational telecommunication companies to local SMEs, to discover wherein their networks they have sensitive data that could potentially put them at risk if they were to suffer a data breach. Enterprise Recon, our forensic data discovery tool can natively search across your operating systems, servers, databases, workstations, cloud and email, putting you back in control of your customer and employee data. Enterprise Recon has been designed with global compliance standards in mind by helping you to find over 300 types of PII and giving you powerful remediation options to protect that data.
Privacy Regulations are getting stronger
Now the definition of personal data has expanded to include a customer number in a cookie, a device ID, or an IP address, to name a few. It’s extremely unlikely that your organization does not process personal data of any kind. Remember, GDPR clarifies and defines personal data far better than its predecessor and it incorporates far more than the American conception of PII. Ultimately, there is now more personal data under the scope that you need to protect, so the responsibility is greater.
It is becoming more challenging to comply with global security and privacy standards. So utilizing solutions and technologies like Enterprise Recon enables you to accurately discover and remediate personal data and makes it much easier to achieve compliance.
Companies need to take a data-centric approach to secure PII data directly and make sure they do not expose it to potential threats. Understanding what data you have, and where it is, will allow you to put processes in place to protect it and you will be surprised at the vast amount of personal information you store, process and collect.
Ready to start protecting your organization’s PII? Book your free risk assessment with one of our data experts.