Puzzling the GDPR Challenge with personally identifiable information
Working with data and with companies that work with personally identifiable information (PII), or sensitive personal information the topic of what exactly PII or PI really is.
I’m not an expert on PII or all the requirements and nuances of regulations like the European GDPR but to a certain extent there is some degree of common sense that the everyday man in the street should apply to how they think about PII.
GDPR is presently very topical, not least in part due to the fact that enforcement begins on 25 May 2018. After this date, the full weight of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) comes into force.
The regulation has been put in place by the European Parliament, the Council of the European Union, and the European Commission and is intended to strengthen and unify data protection for individuals within the European Union (EU).
You only have to do a Google search (or perhaps a DuckDuckgo ) for GDPR to determine that there is a lot of information, half truths, perspectives and opinion on the topic.
Understandably, any business with representation in the EU will be concerned. Businesses that aren’t based in the EU should also be concerned though. The regulation governs the information of EU nationals and residents as a whole and while it is open to some interpretation, the very presence of ambiguity in some areas means that the courts could potentially make interpretations that could be very expensive in terms of penalties.
Appropriate data for appropriate use
It may seem obvious, but every business would want to have complete and correct information about the people that it has in their databases. The challenge though, is do they know what data they actually have? Do they know how recent or complete that data is? Do they know where they got it from, and more importantly, should they have it at all?
For the CIO the challenge will also be, where are all the possible places that the PII data and data that is subject to GDPR, could be housed in terms of systems and records. Trying to regulate how businesses obtain, use, manage and secure PII has been a challenge for regulators for quite a long time. One of the ways this is achieved, is by classifying whether a business or entity is a “data controller” or “data processor”. Both roles carry responsibilities but are slightly different.
Several attempts have been made to establish mechanisms to control and regulate what businesses should be doing with data and the responsibilities that they have for it. This piece of EU regulation enhances these previous efforts further but does not change the definitions of the terms “data controller” and “data processor”.
Is address data PII?
My most recent discussion on PII revolved around whether an address is PII. Some would argue that it is, others would argue that it cannot be.Stitching together additional pieces of information with an address could be PII though. Often when that happens, the degree of PII is actually exponentially greater than the two pieces of information existing in an unconnected state.
When I refer to address here, I am referring to a physical address like Rudolf-Breitscheid-Strasse 187, 14482 Potsdam.
I might wonder who lives or works there, if anyone lives or works there, what are their names, ages, gender etc? I can’t tell much from the address itself. However if I can, in all likelihood work out if there is a business there. Identifying a business is not making use of PII. I could connect a business address with people who work for any business that is located there through other means. Perhaps their LinkedIN profile, their email address, or even a phone reverse lookup.
Further, if there is a computer network there and there is data from the geo-location of that address that informs me of IP addresses or MAC addresses of devices seen there, i could also add that to my cache of data and it gets even more interesting if I know the identities and types of devices at those IP addresses.
The whole business of how to ensure that you’re still compliant gets potentially messy very quickly, and then of course what your intent is with this newly created joined daat. Under GDPR,online identifiers like IP addresses may be used to identify individuals and could enable organizations to build profiles around people.
So as you can see, just pieces of a puzzle of different data can take your seemingly innocuous data sets to a new level where they are in fact very much subject to the GDPR.