The security of user data is of high importance, and that importance only grew with the implementation of the EU’s General Data Protection Regulation (GDPR). These sweeping new regulations went into effect on May 25, 2018. They are European Union regulations, but they have sweeping effects since they apply to any business that stores personal information of any EU citizen.
It’s important to comply with GDPR. The first step, though, is to understand what exactly GDPR requires for your business.
PII Under GDPR
The short answer to the question of what PII is under GDPR is that it’s not a thing. Personally, identifiable information is an American term. The rough European equivalent is personal data. It’s important to note, though, that the two are not identical. The European standards are more restrictive, and the European category (personal data) is, therefore, more inclusive.
Here’s the bottom line: don’t assume that if you’re PII compliant that you’re automatically GDPR compliant. You need to do more for the latter.
If you’re asking the question “what is PII under GDPR?” there’s a good chance you know some of the lingo already, but it’s worth reviewing.
This term refers to any number of pieces of information that a company might store that can be used to identify individuals. Bad actors who accumulate enough PII on an individual may be able to compromise the individual’s accounts or even steal the individual’s identity. Examples of PII include (but aren’t limited to) driver’s license numbers, social security numbers, full names, physical addresses, and credit card numbers.
Remember, this is an American term, not a global one.
Non-PII is what’s left that’s not PII, in the American way of viewing things. This is the kind of information that can be used in aggregate forms. It’s useful data, but it can’t be used to identify individuals on its own. Examples include IP addresses, device IDs, and cookies left behind on devices while browsing the web.
Personal data is the EU equivalent of PII. It’s the information that businesses store on customers that could be used to identify those customers. The important difference here is the breadth of the definition.
GDPR concludes that even non-PII can be personal data. Cookies and IP addresses, for example, can be used in conjunction with PII to help reconstruct a person’s identity. For this reason, even these forms of information are considered personal data and are protected under GDPR.
Given the changing landscape of privacy regulations, businesses must adapt and stay compliant. Here are a few best practices for complying with GDPR.
Survey What Data You Collect
The first step toward compliance is to know what your business is collecting. Conduct a comprehensive survey of the data that you collect and store through your site.
Keep Only What You Need
Second, ask the hard questions about what personal data your business truly needs. If it’s not providing real value, dump it.
Get Permission to Keep It
Whatever you decide is essential, ask permission to keep it. That’s what the cookie notices are doing, and you need to do the same.
Data privacy regulations are complex. You might not want to go it alone. If not, we’re here to help. Contact us today!
Thanks for helping us upgrade our Macs and get them working exactly as our business needs! Fast, convenient and very knowledgeable! You’re the best!
Alary Technologies has been our IT support team for the past year at the START Clinic for Mood and Anxiety Disorders. They have done a excellent job in upgrading our system, organization, and supporting us in technical computer matters. Compared to other IT companies we have worked with, Alary Technologies comes on top. Ahmed Kufaishi the Managing Director at Alary Technologies is solution focused, knowledgeable and makes an effort to really understand his clients’ needs. It has been a pleasure to work with Ahmed and Alary Technologies. I would recommend their services to other companies and clinics.
“We continue to work with Alary Technologies due to the fact that they are quite educated and knowledge based with current upgrades, and their commitment to their customers.”
Ahmed has been providing our company with expert IT services for close to 3 years. He has guided us through hardware upgrades, server back up procedures and was instrumental in brokering a custom software program that fully automated some key functions in our business. Ahmed has always been thoroughly professional in all his dealings with us and has provided consistent and sound advise for all of our IT requirements. We consider Ahmed and Alary Technologies to be an important partner for our business.
It is refreshing to work with someone who can organize things and describe in plain language. I have a large and growing knowledge base for my work as an architect. I have realized that I can’t do everything, that I do need a team member who can look after this one relatively small by crucial part of my practice.