GDPR Part II – Identification of the EU Citizen: A Course in PII

The fines for non-compliance to The Regulation are 4% of global revenue or 20 Million Euros – whichever is greater.

When it comes to the fines associated with the Regulation, the enforcement is harsh, and in addition to the fines, the data controller and the processor, together can also be held liable for the full amount of the damages to the data subject.

The fines for non-compliance are staggering. Tell me, have I gotten your attention yet? The Regulation’s grace period is about to be over. May 25th is coming soon, and I have to ask…is your company ready to comply with GDPR? Interesting enough, with all the conversations, presentations, webinars and articles that myself and others have given, there are still companies out there that haven’t started an initiative to begin the compliance process for GDPR.

Just a few weeks ago, I gave a GDPR presentation to a group of about 100 people, and when I asked how many people were involved in an initiative to become compliant, less than two handfuls of the audience put their hands up. As we discussed the reasons why, the problem continues to be two-fold: 1) there is confusion regarding if a company needs to become compliant and 2) these same companies are completely confused about what to do.

In last month’s article GDPR Part I, I tried to help companies understand how The Regulation works, the rights of the data subject, the terms, how to determine if a company needed to become compliant and how to start to prepare for GDPR. The one take-away in the article was that The Regulation is applicable to both European Union, as well as non-EU companies – and that it applies to any company that is processing personal data for European Union citizens – no matter where they are located in the world.

In the remainder of this 2nd article, we’re going to discuss Personal Identifiable Information or PII. According to The Regulation, PII hasn’t really been defined either. So, I’ll try to define several types of PII and you’ll need to decide what type of PII your company has, as well as this other term called reasonable business use.

Personal identifiable information is any information that can be used to identify a data subject, natural person and PII needs to be protected for a citizen of the EU. Personal information can be direct or indirect, by reference of some type of identifier. These identifiers can include name, ID, number, email address, phone number, location data, online identifier/IP address or cookie. It can also include social media posts, physical, genetic, physiological, medical, economic, cultural, social identity or even sexual preference. PII can include location (either physical or digital) and even bank or credit card details. PII includes all types of identifiers that disclose a data subjects identity.

The DPO or data protection officer has the responsibility to make sure that your company is complying to The Regulation and the controller has the responsibility to ensure the processing occurs with the data subject’s rights in mind. It is the data processor’s responsibility to protect the PII for an EU citizen during processing.

If PII is transferred between EU Member States, it is due to a provision called portability, and when PII has been transferred, it must not be repetitive, the data transferred can only concern a limited number of data subjects and the data can only be used for a compelling and legitimate reason; if these interests are not overridden by the interests, rights or freedoms of the data subject.

Compelling and legitimate reasons can include:

  • Where none of the other grounds for transfer are applicable
  • For scientific, historical or statistical research
  • For the legitimate expectations of society for an increase of knowledge (an example is science)
  • When the data subject has been explicitly consented about the transfer
  • When the transfer is necessary in relation to a contract or a legal claim
  • Is of public interest (or if it is security, criminal or medical related)

Now, let’s discuss reasonable business use, where a company needs access to information for legitimate business purposes, and processing of the data occurs within a data retention period.

An area of importance within any compliance program is a data retention strategy, where companies identify and segment data and then determine the classification and retention period for this information. An example is that US law dictates that the human resources department must keep employee data for a period of seven years. This data would be classified as confidential with a retention period of seven years. The retention of this data is reasonable, where the company can store and use the information within this time period.

Now, let’s consider a customer that comes to your website. If the site adds a cookie to the session and tracks the customer’s preferences or behavior and offers product suggestions, that is fine for the session, but unless the consumer provided consent to continue to promote the company’s goods or services; continuing to contact the customer would not be an example of reasonable use and may not be within the retention period.

There are many nuances regarding PII, portability and the rights of the data subject. Remember, The Regulation is open to interpretation and it is best if you consult with an attorney regarding how and why your company should become compliant to GDPR.

In the 3rd installment of this article, we’ll be discussing how technology can help you achieve compliance. If you believe that your company may need to comply this The Regulation, I can only offer that you’ll need to start now.

@2018 All Rights Reserved

Sue Bergamo is the CIO & CISO at Episerver, a global digital commerce company. She can be reached at

*The content within this article are the sole opinions of the author.

Similar Posts

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.