GDPR Compliance: PII and Data Privacy Explained
GDPR, or the General Data Protection Regulation, is a set of rules that give individuals specific rights regarding their personal data. It also regulates how organizations collect and use people’s personal information within the European Union (EU). Under the GDPR, any organization that processes personal information within the EU must follow these regulations or risk steep noncompliance fines. Let’s discuss the types of applicable personal information and how data privacy laws like the GDPR keep internet users safe.
What is the General Data Protection Regulation?
The GDPR is a law passed in 2016 and made applicable two years later. It replaced the EU’s Data Protection Directive, which had been enacted more than 20 years earlier in 1995. The GDPR is the most comprehensive data protection law in the world and applies to all companies that process the personal data of EU residents.
The European Commission (the executive branch of the EU) created the GDPR in order to address issues related to processing special categories of data, such as racial or ethnic origin; genetic data or biometric data for purposes other than detecting fraud; processing health records; data of children under 13 years old; criminal convictions and offenses; religious beliefs or sexual orientation; trade union membership or political opinions.
GDPR data privacy rules apply to all companies that process data on EU citizens, even if the company is based outside the EU. In addition, many organizations in countries outside of Europe have adopted these or very similar regulations and use the term “GDPR compliant” to express to customers that their data is well-protected.
What is Personally Identifiable Information (PII)?
Personally Identifiable Information, abbreviated as PII, is any information that could allow the identity of an individual, also known as a data subject, to be discovered either directly or indirectly. PII is related to data privacy, or the procedures for proper handling, collecting, processing, and sharing of personal data.
When organizations process the PII of EU data subjects, they must be able to justify or demonstrate their need to do so, or else the collection of that data is illegal. In addition, the identifying information that is collected should be accurate and kept up to date, and may only be stored as long as it is necessary for the purpose they explicitly stated upon collection.
What are some examples of PII?
Of course, most people could easily name examples of PII, such as a person’s name, home address, email address, phone number, or IP address (sometimes referred to as a "dynamic identifier"). However, there are also many other types of data that can constitute PII, including geolocation data, photos and videos, audio recordings, medical records or other health information (including genetic information), financial data such as credit card numbers or banking information that identifies someone's account balance at a specific bank or institution, and even social media activity logs for Facebook and Twitter accounts. If a dataset contains any of this sensitivity, then it is all considered PII.
How does GDPR protect PII?
GDPR protection laws extend the rights of individuals regarding their personal data. These rights include:
- The right to be informed: Data subjects must be notified about when their identifying information is being collected and processed, what kind of information is collected, why it’s collected, and who it will be shared with.
- The right of access: Individuals have the right to know what data is being held about them, how they can access that data, how long the data storage will last, and who their personal data has been shared with (including any third-party companies that may have unknowingly received it).
- The right to rectification: Data subjects have the right to request corrections if there are errors in their records, as well as object to any processing that violates GDPR rules or isn’t necessary to the purpose for which it was originally collected.
- Right to erasure (also known as the “right to be forgotten”): A person has the right to request deletion of all of their own personal records once the data no longer serve any purpose within your business model or operation procedures overall. This includes all third parties who may have access through subcontracted agreements as well.
How is the GDPR enforced?
Companies who wish to gain access to EU citizens’ personal information remain in compliance with GDPR guidelines and put in place certain safeguards for their data storage process, including the rights above. If a company doesn't meet these requirements, then they are at risk of being fined up to 4% of their annual global turnover or €20 million (whichever is higher). These safeguards can also include appointing a Data Protection Officer for your organization, keeping your privacy policy updated and available for review, and spreading awareness of GDPR guidelines through employee education.
Workplace training like the 100% mobile-friendly courses from EasyLlama can help keep your employees be knowledgeable about the importance of data privacy, and keep your company from paying steep noncompliance fines. Our GDPR-specific course can help any international company get into compliance with these stringent data protection laws, and the training’s interactive knowledge checks and Hollywood-produced videos will keep your employees engaged too! Find out why our award-winning courses are so intuitive, convenient, and trusted with your own free course preview today.