Image Source : Getty
In today’s digital era, where information flows freely, and technology advances exponentially, protecting personal and sensitive data has become crucial.
There has been a rise in online data theft cases and businesses collecting the consumer’s data and selling it to third parties without their consent.
Because of these instances, consumers today are very serious about how their data is being collected, its purpose, and how long that data will be retained with the companies.
Government around the world have been playing their parts in providing the required privacy framework to customers’ data by bringing data privacy laws into effect and making it mandatory for businesses to follow, as failing to do so can lead to a hefty number of fines and penalty.
These laws ensure that the personal data of the residents of that particular country is collected and used ethically and with their permission.
These laws ensure that customers have the authority of their data instead of the companies.
The European Union’s General Data Protection Regulation (GDPR) is a groundbreaking law introduced in 2018 that has revolutionized how organizations handle and protect personal information.
The GDPR’s privacy and security rules must be followed by your business whenever you collect, use, or store the personal data of EU citizens.
Failure to do so could result in costly fines.
The EU’s General Data Protection Regulation (GDPR) seeks to strike a balance between being rigid enough to guarantee people a distinct and precise level of protection for customers’ personal information and being flexible enough to consider the legitimate interests of both the public and companies.
Now the question arises: what exactly is defined as Personal Information or Personally Identifiable Information (PII) under the EU’s GDPR?
This article will delve deeper and help you understand what data or information is covered under the domain of PII in GDPR.
What is personally identifiable information (PII)?
Any data that may be used to identify a specific person, such as their social security number, complete name, or email address, is called personally identifiable information (PII).
The amount of PII shared with businesses has increased as people rely on information technology in their personal and professional lives.
For instance, businesses collect client data to understand their markets better, and people willingly share their home and phone numbers to join up for services and shop online.
Sharing PII can be beneficial, too, since it enables companies to adjust their goods and services to the requirements of their clients, for example, by providing more accurate search results in navigation apps.
However, cybercriminals are drawn to the expanding PII collected and stored by businesses.
PII is stolen by hackers who use it to commit identity theft, sell it on the black market, or hold it captive via ransomware.
Eighty-three percent of businesses have had more than one data breach, with the average breach costing USD 4.35 million, according to IBM’s Cost of a Data Breach 2022 research.
(Source- https://www.ibm.com/topics/pii)
To safeguard data privacy in the face of these threats, people and information security experts must navigate a complicated IT and legal landscape.
What is considered PII under GDPR?
Only personal data—any information that belongs to an identifiable individual—is covered under the EU’s GDPR.
Any company that does business with residents of the EU needs to understand this idea to comply with GDPR.
The GDPR makes considerable efforts to define what is and is not personal data as part of this complex balancing act.
GDPR defines Personal data as’
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Additionally, personal data processed only in one of the two ways is covered by the GDPR:
- Personal data processed wholly or partly by automated means (or information in electronic form); and
- Personal data processed in a non-automated manner forms part of, or is intended to form part of, a ‘filing system’ (or written records in a manual filing system).
Contractors working for the Department of Labor (DOL) are reminded that protecting confidential information is an essential duty that must always be treated seriously.
The following security guidelines are specified by DOL internal policy for the protection of PII and other sensitive data:
- The user must protect any data they have access to. Users are required to follow the guidelines outlined in applicable Systems Security Plans, DOL policies, and agency guidance.
- Contractors working for the DOL who have access to personal information are required to protect the privacy of such information and abstain from actions that might indicate a careless handling of that information.
Additionally, contract workers must refrain from office chitchat and not allow unauthorized access to documents kept in a DOL records system.
Only people who “need to know” information can access these record systems to perform their official duties.
Elements of GDPR PII
Direct vs. Indirect Identifiers
Direct and indirect identifiers are the two categories under which PII falls.
Direct identifiers, such as a passport or driver’s license number, are specific to an individual.
Usually, one direct identification is sufficient to establish someone’s identity.
No two indirect identifiers are the same, which means they are not unique.
They contain broader demographic information, such as race and place of birth.
A set of indirect identifiers can identify a person even though a single one cannot.
For instance, the gender, ZIP code, and date of birth of 87 percent of U.S. citizens were sufficient to identify them.
(source- https://www.ibm.com/topics/pii)
Sensitive PII vs. Non-Sensitive PII
Not all personal information is regarded as PII.
For instance, information about a person’s streaming preferences isn’t considered PII because it would be difficult, if not impossible, to identify a person merely based on what they watch on Netflix.
Only information that may be used to identify a specific individual is considered PII, such as the data you could provide to your bank when contacting them to confirm your identification.
There are PII items that are more sensitive than others.
Sensitive PII is sensitive information that can be used to identify an individual and poses considerable harm if lost or stolen.
Sensitive PII includes things like a social security number (SSN).
Financial institutions and governmental organizations frequently use SSNs to confirm people’s identities, making it simple for criminals to access their victim’s bank accounts or tax records if they obtain their SSNs.
Some other examples of sensitive PII are:
- Unique identification numbers, such as those on driver’s licenses, passports, and other documents issued by the government.
- Fingerprints and retinal scans are examples of biometric data.
- Medical records.
- Financial details, such as credit card and bank account numbers.
Sensitive PII is often not publicly accessible.
Most existing data privacy laws mandate that businesses protect sensitive PII by encrypting it, restricting who has access to it, or taking other cybersecurity precautions.
Non-sensitive PII is private data that, if leaked or stolen, would not significantly harm a person if used alone.
It might or might not be specific to one person.
A social network handle, for instance, would be an example of non-sensitive PII:
Although it may be used to identify a person, a cybercriminal would not be able to steal their identity using only their social media account name.
Other instances of Non-sensitive PII are:
- The full name of a person
- The maiden’s name of the mother
- Telephone number
- IP addresses
- Birthplace
- Birthdate
- Geographical information, including ZIP code, city, state, and country
- Information about employment
- Email or mailing address
- Ethnicity or race
- Religion
Non-sensitive PII is usually accessible to the general public; for instance, phone numbers may be recorded in a phonebook, and addresses may be listed in public property records maintained by a local government.
While some data privacy laws do not mandate the protection of non-sensitive PII, many businesses take precautions.
Thieves could create problems by combining various pieces of non-sensitive PII.
For instance, a hacker may use a person’s phone number, email address, and maiden name to access their bank account app.
They can get a username from the email, a verification code can be obtained using a fake phone number, and the security question can be answered using the mother’s maiden name.
How to protect PII?
Hackers steal personally identifiable information (PII) for various reasons, including identity theft, blackmailing, or the black market, where they can sell it for up to USD 1 for a social security number and USD 2,000 for a passport number.
The use of ransomware or the theft of PII to gain access to executives’ email accounts for use in spear phishing and business email compromise (BEC) schemes are other ways hackers may target PII as part of a more significant attack.
Protecting PII for businesses can be challenging.
Because of the development of cloud computing and SaaS services, PII may now be handled and stored across several networks rather than in a single, centralized one.
The quantity of sensitive data kept in public clouds is anticipated to double by 2024, and more than half of enterprises believe this data is not sufficiently safe, according to a report from ESG.
(Source- https://www.ibm.com/topics/pii)
Organizations typically establish data privacy frameworks to protect PII.
These frameworks can take numerous forms depending on the company, the PII it collects, and the data privacy laws it must comply with.
The National Institute of Standards and Technology (NIST) offers the following sample framework as an illustration:
1. Identify and list down all PII in the company’s systems.
2. Reduce the amount of PII collected and used, and frequently discard any PII that is no longer required.
3. Sort PII into categories based on its sensitivity.
4. Implement data security controls. A few examples of controls are:
- Encryption- No matter where personally identifiable information (PII) is stored or handled, homomorphic encryption or confidential computing can help maintain PII secure and compliant.
- Identity and access management (IAM)- Two-factor or multifactor authentication may place additional barriers between cyber criminals and private information.
Similarly, implementing role-based access controls (RBAC) and zero-trust architecture can restrict the amount of personally identifiable information (PII) that hackers can access if they break into the network.
- Training- This could involve educating staff members on the proper handling and disposal of PII and educating them about protecting their own PII (such as through anti-phishing, social engineering, and social media awareness training).
- Anonymization- Making sensitive data anonymous means removing it from all identifying characteristics.
Some common anonymization strategies include eliminating identifiers from data, aggregating data, or purposefully introducing noise to the data.
- Cybersecurity tools- Data tracking tools (DLP) make it easier to spot leaks and breaches by following data as it flows throughout the network.
Tracking PII usage and misuse may also be helped by other cybersecurity solutions that provide high-level views of network activities, such as extended detection and response (XDR) technologies.
5. Devise an incident response strategy for breaches and PII leaks.
It’s important to note that depending on how sensitive the data is, NIST and other data privacy experts usually advise using different restrictions on specific data sets.
Applying strict safeguards to non-sensitive data may be time-consuming and expensive.
Conclusion
This guide is not an exhaustive list, but it should help you understand some of the concepts for determining whether the data your organization processes is subject to the EU’s GDPR requirements.
If you need further help with Data privacy compliance and risk mitigation, head over to PrivacyPillar, which is your solution to all data privacy concerns and sets your organization for success in the digital age.
We at PrivacyPillar help you understand the “Power of Permission” and convert your customer’s consented data into profits while avoiding the anxiety and fines associated with non-compliance.
FAQs
1. What is Personally Identifiable Information (PII)?
Personally Identifiable Information (PII) refers to any data that can be used to identify a specific person, such as their social security number, complete name, or email address. It is crucial to protect PII to prevent identity theft and unauthorized access.
2. What is GDPR?
The General Data Protection Regulation (GDPR) is a groundbreaking EU law introduced in 2018. It sets rules for the collection and processing of personal data, aiming to protect the privacy of individuals. Businesses dealing with EU residents must comply with GDPR guidelines.
3. What is the difference between Direct and Indirect Identifiers in PII?
Direct identifiers, like passport numbers, are specific to an individual, while indirect identifiers, such as demographic information, are not unique on their own but can identify a person when combined. Both play a role in defining Personally Identifiable Information.
4. What is Sensitive PII?
Sensitive PII includes information that, if lost or stolen, can cause significant harm to an individual. Examples include social security numbers, biometric data, medical records, and financial details. Protecting sensitive PII is crucial for privacy and security.
5. What is Non-Sensitive PII?
Non-sensitive PII, like a person’s full name or phone number, may not cause significant harm if leaked alone. However, combining various pieces of non-sensitive PII could pose a threat, emphasizing the need for safeguarding even seemingly less critical information.
6. What is the significance of PII protection under GDPR for businesses?
GDPR mandates that businesses handling personal data of EU residents must protect it ethically. Failure to comply can result in hefty fines. Businesses need to understand and implement measures to secure personal data and adhere to GDPR guidelines.
7. What are the elements of GDPR PII according to the Department of Labor (DOL)?
GDPR defines Personal Data as any information related to an identified or identifiable natural person. The DOL emphasizes protecting confidential information and outlines security guidelines for contractors accessing personal information.
8. What are the security guidelines for protecting PII according to NIST?
NIST suggests a comprehensive framework for PII protection, including identifying and categorizing PII, reducing unnecessary data, implementing data security controls (encryption, IAM), providing training, and having an incident response strategy.
9. What are some common cybersecurity measures to protect PII?
Cybersecurity measures include encryption, identity and access management (IAM), training for staff on handling and disposing of PII, anonymization of sensitive data, and the use of cybersecurity tools like Data Loss Prevention (DLP) and Extended Detection and Response (XDR).
10. What are the key steps to comply with GDPR requirements for PII?
To comply with GDPR, businesses should identify and list all PII, minimize data collection, categorize PII based on sensitivity, implement data security controls, and devise an incident response strategy. Adhering to these steps helps in mitigating risks and ensuring compliance.
