HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Personally Identifiable Data under the GDPR

With the introduction of the General Data Protection Regulation (GDPR) only weeks away, all groups involved in processing the personal data of individuals based in the EU should be aware of their duties under the new law and should be aware of their obligations when processing Personally Identifiable Data under the GDPR.

What is Personally Identifiable Data?

Personally Identifiable Data is a term used to refer to any piece of information which, either alone or when supported by additional information, allows for the identification of a living person. In the past this was mostly used to designate home addresses or telephone numbers, however this has evolved with the greater presence of technology and mobile devices in everyday life.

Recently, the term Personally Identifiable Data can be used when talking about IP addresses, email addresses, social media identifiers, or online images. These elements are not always classified as Personally Identifiable Data, but they may be, depending on the context: a username, or an IP address may be enough to directly identify someone; in contrast, sometimes even with both of these pieces of information and several others, it is still not possible.

Managing Personally Identifiable Data

Prior to the introduction of the GDPR, companies and agencies involved in processing the personal data of people based in the EU should take a number of steps. The first, and perhaps the most important, is to conduct an audit of all of the information they have stored. This will allow them to identify the data which can be classed as Personally Identifiable Data and verify that all the necessary elements are in place for the data to be held in compliance with the GDPR. Organizations should confirm:

– What data they have stored

– The storage location for all data

– Whether the processing of the data is justified by a GDPR compliant legitimate reason

– Whether the continued storage of the data is justified or whether it should be erased

– Whether systems are in place to allow all data related to a data subject to be provided should an individual make a Subject Data Request (SAR), or request their information be erased

It is important for groups to document the different processes and procedures that they have implemented. A number of details must be recorded concerning how the data was gathered, how it was processed, the purpose it was processed for, the date it was recorded, the person responsible for collecting it, and the person responsible for managing it. This is a crucial step as groups must be able to demonstrate their compliance with the GDPR.  While it is a somewhat “guilty until proven innocent” situation, data protection authorities require proof that all is above board or they may impose penalties. This may occur even if there are no outward signs of GDPR violations.

Should a company or an agency be found not to have correctly or sufficiently audited their data or recorded their internal procedures, they may be in violation of the GDPR. Regulatory authorities can penalize non-compliance and the punishments can be severe. The maximum financial penalty that can be sought is an amount of either €20 million, or 4% of annual global revenue, whichever is higher. This on its own would be quite a blow to a business but they should not lose sight of the additional harm that a GDPR violation would cause to their image and reputation among consumers.

When customers have confidence in the security of their data, it may mean they are more inclined to share it. Similarly, if clients do not trust that an organization will use their data only in the manner they gave permission for, or that they do not believe their data will be safe, they may be less likely to share it. Groups that have lost consumer confidence may find themselves unable to regain it, their image tarnished indefinitely.