GDPR Part II – Identification of the EU Citizen: A Course in PII

The fines for non-compliance to The Regulation are 4% of global revenue or 20 Million Euros – whichever is greater.

When it comes to the fines associated with the Regulation, the enforcement is harsh, and in addition to the fines, the data controller and the processor, together can also be held liable for the full amount of the damages to the data subject.

The fines for non-compliance are staggering. Tell me, have I gotten your attention yet? The Regulation’s grace period is about to be over. May 25th is coming soon, and I have to ask…is your company ready to comply with GDPR? Interesting enough, with all the conversations, presentations, webinars and articles that myself and others have given, there are still companies out there that haven’t started an initiative to begin the compliance process for GDPR.

Just a few weeks ago, I gave a GDPR presentation to a group of about 100 people, and when I asked how many people were involved in an initiative to become compliant, less than two handfuls of the audience put their hands up. As we discussed the reasons why, the problem continues to be two-fold: 1) there is confusion regarding if a company needs to become compliant and 2) these same companies are completely confused about what to do.

In last month’s article GDPR Part I, I tried to help companies understand how The Regulation works, the rights of the data subject, the terms, how to determine if a company needed to become compliant and how to start to prepare for GDPR. The one take-away in the article was that The Regulation is applicable to both European Union, as well as non-EU companies – and that it applies to any company that is processing personal data for European Union citizens – no matter where they are located in the world.

In the remainder of this 2nd article, we’re going to discuss Personal Identifiable Information or PII. According to The Regulation, PII hasn’t really been defined either. So, I’ll try to define several types of PII and you’ll need to decide what type of PII your company has, as well as this other term called reasonable business use.

Personal identifiable information is any information that can be used to identify a data subject, natural person and PII needs to be protected for a citizen of the EU. Personal information can be direct or indirect, by reference of some type of identifier. These identifiers can include name, ID, number, email address, phone number, location data, online identifier/IP address or cookie. It can also include social media posts, physical, genetic, physiological, medical, economic, cultural, social identity or even sexual preference. PII can include location (either physical or digital) and even bank or credit card details. PII includes all types of identifiers that disclose a data subjects identity.

The DPO or data protection officer has the responsibility to make sure that your company is complying to The Regulation and the controller has the responsibility to ensure the processing occurs with the data subject’s rights in mind. It is the data processor’s responsibility to protect the PII for an EU citizen during processing.

If PII is transferred between EU Member States, it is due to a provision called portability, and when PII has been transferred, it must not be repetitive, the data transferred can only concern a limited number of data subjects and the data can only be used for a compelling and legitimate reason; if these interests are not overridden by the interests, rights or freedoms of the data subject.

Compelling and legitimate reasons can include:

  • Where none of the other grounds for transfer are applicable
  • For scientific, historical or statistical research
  • For the legitimate expectations of society for an increase of knowledge (an example is science)
  • When the data subject has been explicitly consented about the transfer
  • When the transfer is necessary in relation to a contract or a legal claim
  • Is of public interest (or if it is security, criminal or medical related)

Now, let’s discuss reasonable business use, where a company needs access to information for legitimate business purposes, and processing of the data occurs within a data retention period.

An area of importance within any compliance program is a data retention strategy, where companies identify and segment data and then determine the classification and retention period for this information. An example is that US law dictates that the human resources department must keep employee data for a period of seven years. This data would be classified as confidential with a retention period of seven years. The retention of this data is reasonable, where the company can store and use the information within this time period.

Now, let’s consider a customer that comes to your website. If the site adds a cookie to the session and tracks the customer’s preferences or behavior and offers product suggestions, that is fine for the session, but unless the consumer provided consent to continue to promote the company’s goods or services; continuing to contact the customer would not be an example of reasonable use and may not be within the retention period.

There are many nuances regarding PII, portability and the rights of the data subject. Remember, The Regulation is open to interpretation and it is best if you consult with an attorney regarding how and why your company should become compliant to GDPR.

In the 3rd installment of this article, we’ll be discussing how technology can help you achieve compliance. If you believe that your company may need to comply this The Regulation, I can only offer that you’ll need to start now.

@2018 All Rights Reserved

Sue Bergamo is the CIO & CISO at Episerver, a global digital commerce company. She can be reached at

*The content within this article are the sole opinions of the author.

Add Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

20 Things You Didn’t Know About Ethos
Avneesh Agawral
10 Things You Didn’t Know About Avneesh Agrawal
20 Things You Didn’t Know about Flipkart
Spencer Kimball
10 Things You Didn’t Know about Spencer Kimball
Credit Card
10 Reasons We Like The Divvy Business Credit Card
The Top Five Stock Picks Targeted at Climate Change
Credit Card
The 20 Best Travel Credit Cards of 2021
20 Things You Didn’t Know About Vinovest
Flea market
10 Reasons to Visit the Kane County Flea Market
Los Angeles
The 20 Best Day Trips from Las Vegas
The 10 Best State Parks in Indiana
flea market
10 Reasons to Check Out The Mile High Flea Market
What is an Interference Engine and What is it Used For?
Volkswagen Passat…Chattanooga, Tennessee
Why Volkswagen Stopped Producing the Passat in the U.S
A Closer Look at Aston Martin’s Valhalla Supercar
Does Peugeot Still Make the 308?
A Closer Look at the Creux Automatiq Ghost V3 Mono
Seven Fridays
A Closer Look at the SevenFriday’s P1C/04 Caipi Watch
Doxa Sub 200 Whitepearl
A Closer Look at the The Doxa Sub 200 Whitepearl
Montblanc Summit
A Closer Look at the Montblanc Summit Lite Smrt
How Cote De Pablo Achieved a Net Worth of $6 Million
How Upchurch Achieved a Net Worth of $4 Million
Charlene de Carvalho-Heineken
The 10 Richest People in The Netherlands
How Kelly Osbourne Achieved a Net Worth of $20 Million