GDPR Part II – Identification of the EU Citizen: A Course in PII

The fines for non-compliance to The Regulation are 4% of global revenue or 20 Million Euros – whichever is greater.

When it comes to the fines associated with the Regulation, the enforcement is harsh, and in addition to the fines, the data controller and the processor, together can also be held liable for the full amount of the damages to the data subject.

The fines for non-compliance are staggering. Tell me, have I gotten your attention yet? The Regulation’s grace period is about to be over. May 25th is coming soon, and I have to ask…is your company ready to comply with GDPR? Interesting enough, with all the conversations, presentations, webinars and articles that myself and others have given, there are still companies out there that haven’t started an initiative to begin the compliance process for GDPR.

Just a few weeks ago, I gave a GDPR presentation to a group of about 100 people, and when I asked how many people were involved in an initiative to become compliant, less than two handfuls of the audience put their hands up. As we discussed the reasons why, the problem continues to be two-fold: 1) there is confusion regarding if a company needs to become compliant and 2) these same companies are completely confused about what to do.

In last month’s article GDPR Part I, I tried to help companies understand how The Regulation works, the rights of the data subject, the terms, how to determine if a company needed to become compliant and how to start to prepare for GDPR. The one take-away in the article was that The Regulation is applicable to both European Union, as well as non-EU companies – and that it applies to any company that is processing personal data for European Union citizens – no matter where they are located in the world.

In the remainder of this 2nd article, we’re going to discuss Personal Identifiable Information or PII. According to The Regulation, PII hasn’t really been defined either. So, I’ll try to define several types of PII and you’ll need to decide what type of PII your company has, as well as this other term called reasonable business use.

Personal identifiable information is any information that can be used to identify a data subject, natural person and PII needs to be protected for a citizen of the EU. Personal information can be direct or indirect, by reference of some type of identifier. These identifiers can include name, ID, number, email address, phone number, location data, online identifier/IP address or cookie. It can also include social media posts, physical, genetic, physiological, medical, economic, cultural, social identity or even sexual preference. PII can include location (either physical or digital) and even bank or credit card details. PII includes all types of identifiers that disclose a data subjects identity.

The DPO or data protection officer has the responsibility to make sure that your company is complying to The Regulation and the controller has the responsibility to ensure the processing occurs with the data subject’s rights in mind. It is the data processor’s responsibility to protect the PII for an EU citizen during processing.

If PII is transferred between EU Member States, it is due to a provision called portability, and when PII has been transferred, it must not be repetitive, the data transferred can only concern a limited number of data subjects and the data can only be used for a compelling and legitimate reason; if these interests are not overridden by the interests, rights or freedoms of the data subject.

Compelling and legitimate reasons can include:

  • Where none of the other grounds for transfer are applicable
  • For scientific, historical or statistical research
  • For the legitimate expectations of society for an increase of knowledge (an example is science)
  • When the data subject has been explicitly consented about the transfer
  • When the transfer is necessary in relation to a contract or a legal claim
  • Is of public interest (or if it is security, criminal or medical related)

Now, let’s discuss reasonable business use, where a company needs access to information for legitimate business purposes, and processing of the data occurs within a data retention period.

An area of importance within any compliance program is a data retention strategy, where companies identify and segment data and then determine the classification and retention period for this information. An example is that US law dictates that the human resources department must keep employee data for a period of seven years. This data would be classified as confidential with a retention period of seven years. The retention of this data is reasonable, where the company can store and use the information within this time period.

Now, let’s consider a customer that comes to your website. If the site adds a cookie to the session and tracks the customer’s preferences or behavior and offers product suggestions, that is fine for the session, but unless the consumer provided consent to continue to promote the company’s goods or services; continuing to contact the customer would not be an example of reasonable use and may not be within the retention period.

There are many nuances regarding PII, portability and the rights of the data subject. Remember, The Regulation is open to interpretation and it is best if you consult with an attorney regarding how and why your company should become compliant to GDPR.

In the 3rd installment of this article, we’ll be discussing how technology can help you achieve compliance. If you believe that your company may need to comply this The Regulation, I can only offer that you’ll need to start now.

@2018 All Rights Reserved

Sue Bergamo is the CIO & CISO at Episerver, a global digital commerce company. She can be reached at sue.bergamo@episerver.com.

*The content within this article are the sole opinions of the author.



Add Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Chipotle
The History and Story of the Chipotle Logo
Gucci
The History and Story Behind the Gucci Logo
Herman Houser
10 Things You Didn’t Know About Hermann Hauser
Etsy
The History of and Story Behind the Etsy Logo
REIT
Does a Renewable Energy REIT Exist?
REIT
Five REIT Trends to Pay Attention to in 2020
REIT
What Does “Adjusted Funds From Operations” Mean?
REIT
Should You Consider Gaming REITs for Your Portfolio?
Princeton’s Farmers Market
The 20 Best Things to Do in Princeton, NJ for the First Timers
Newport Beach
A Traveler’s Guide to Hiking in Newport Beach, CA
Balboa Bay Resort
The 10 Best Places to Stay in Newport Beach
Lido Bottle Works
The 10 Best Places to Eat in Newport Beach, CA
Ferrari Mondia


The History and Evolution of the Ferrari Mondial
Ferrari Convertibles
The 20 Best Ferrari Convertibles Ever Made

Ferrari 360 Moderna
What to Look for in a Used Ferrari 360 Moderna
Ferrari Station Wagon
Is There Such A Thing As A Ferrari Station Wagon?
Breitling
Does Breitling Make a Smartwatch?
Breitling Navitimer
A Buyer’s Guide To Getting a Used Breitling Navitimer
The Five Best Breitling Crosswind Watches Money Can Buy
Breitling
The Five Best Diamond Breitling Watches Money Can Buy
Seth Meyers
How Seth Meyers Achieved a Net Worth of $12 Million
Lil TJay
How Lil TJay Achieved a Net Worth of $600,000
Michael Blakey
How Michael Blakey Achieved a Net Worth of $60 Million
Skip Bayless
How Skip Bayless Achieved a Net Worth of $13 Million