How is Personally Identifiable Data Defined under GDPR?

By now, most businesses and organisations will be aware of the General Data Protection Regulation (GDPR) All businesses or organisations that process the personal data of people who live within the European Union must comply with the new regulation.

What is Personally Identifiable Data?

Personally Identifiable Data is defined as any item of data that by itself, or in conjunction with other items, can identify a living individual. Traditionally, this type of data has involved phone numbers, street addresses and email addresses. However, a rise in the amount of available technology has changed the landscape somewhat.

Now, digital data such as an IP address, a social media entry or an online image could all be regarded as personally identifiable data. This does not mean that all of these items are regarded in this way. It depends on the individual case. Sometimes, just a name can be enough to identify an individual. On other occasions, it can be difficult to identify someone even when several pieces of data are held.

Dealing with Personally Identifiable Data

Before the GDPR becomes law on 25 May 2018, any business or organisation that processes the personal data of individuals residing within the EU should carry out an audit of the data they hold and ensure that GDPR stipulations are applied in the case of every piece of personally identifiable data that is held. Checks that should be carried out include:

  • What data is held?
  • Where is the data held?
  • Is there a legitimate reason for processing the data; having regard to GDPR rules?
  • Is the data still required or can it be deleted?
  • Can the data easily be retrieved if a subject access request (SAR) is received?

Businesses and organisations also need to keep records of all the processes and procedures that they have in place. This includes keeping information about the collection and processing of all personal data including details of where it is being held, what it is being used for, when it was collected, who collected it and who is responsible for managing it. This documentation is important as businesses and organisations do not just have to comply with GDPR, they also need to provide documentary evidence of compliance.

Failure to carry out an audit or document processes and procedures could result in non-compliance. As a consequence, sanctions could be applied. These sanctions include potentially large fines of up to €20m or 4% of annual turnover, whichever is greater. It is not just the financial aspect of non-compliance that businesses and organisations should be wary of. They also need to think about damage to their reputation.

If customers and potential customers see that a business has not complied with the new laws they may be reluctant to give them their business. This type of reputational damage can be very difficult to overcome.