GDPR Primer #2: What is personal data?

Last week I wrote the first of what will probably be a few articles about GDPR, EU’s General Data Protection Regulation.  It governs the protection of “personal data” that your company is storing from EU citizens living in the EU.  (They must be EU citizens, and they must be currently living in the EU for the regulation to apply.)

Note: This article is one in a series about GDPR.  Here’s a list of articles so far: 

As mentioned in my last article, US companies are subject to the regulation if they have personal data from EU citizens. Nexus or a physical presence is not required, only that you have data from people living there.

Is Personal Data the same as PII?

In the US we have a term we like to use called Personally Identifiable Information (PII), which includes certain data types that can be used to identify a person.  Examples  include social security numbers, birthdays, names, employers, physical addresses, and phone numbers.  It’s usually the combination of two data elements that makes something PII, for example knowing someone’s name and their birthday puts you one data point away from being able to steal their identity.  All you need is the social security number and you’re off to the races.

Personal Data, as defined by the GDPR, includes what we call PII, but it includes “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”  This is interpreted so far to include things like IP addresses, social media profiles, email addresses, and other types of data that we don’t think of as PII in the US.

Someone filling out a basic marketing form on your website has submitted what the GDPR considers personal data to your company. If there’s enough for the person to be identified in any way – which a marketing form would most certainly have – then it’s considered personal data as far as GDPR is concerned.

GDPR Is coming

GDPR goes into effect May 28th.  If you haven’t talked to your backup company about it, it’s time to start having that conversation.

Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at Sullivan Strickler, which helps companies manage their legacy data

1 comment
  • […] I am not a lawyer. I’m not even what I consider a GDPR specialist. But I’ve read a lot of the text of the GDPR, and I’ve read a lot about it and watched a lot of videos. So I’d like to offer my layman’s interpretation of an important aspect of GDPR – the right to be forgotten – and whether or not it means we have to delete data from our backups. For some background info on GDPR and why you should care about it, feel free to reference my other blogs on the subject here and here. […]