GDPR Did You Know: The Difference between Personal Data and Personally Identifiable Information

Yer personal information now be pirate booty.

You can thank a pirate, matey, for potentially expanding Europeans’ rights to protect their personal data amid the turbulence of changing regulatory seas and the tide of digital transformation.

‘Twere Patrick Breyer who fired the broadside at the German government, claiming it was illegally collecting information about him through his IP address.

Patrick, ya see, is himself a government official – a member of the Schleswig-Holstein regional parliament. He sails under the flag of Germany’s Pirate Party, which thinks government ideas about regulating the internet belong in Davy Jones’ locker.

His representatives convinced the European Union Court of Justice – the equivalent of the United States Supreme Court when it comes to interpreting laws – that Patrick’s course was as true as the North Star.

In a landmark privacy action, the high court expanded the definition of personal data to include dynamic IP addresses, under some circumstances, and sent the case back to the German court for a rehearing.

Now before we get too carried away with talking like a pirate, let’s get to the bigger meaning of these developments.

The European Union’s new General Data Protection Regulation (GDPR), which goes into full effect in May 2018, significantly increases the data privacy rights of consumers and the requirements on companies that solicit and retain customer identities. And there is no pirate port where you can hide – GDPR applies to all companies, anywhere in the world, that do business with customers in Europe.

To stay in compliance with GDPR requires, among many other things, understanding the difference between “personal data” and “personally identifiable information,” or PII.

PII, a commonly used term in North America, refers to a relatively narrow range of data such as name, address, birth date, Social Security number and financial information such as credit card numbers or bank accounts.

Personal data, in the context of GDPR, covers a much wider range of information that can include social media posts, photographs, lifestyle preferences and transaction histories. And now, thanks to the German Pirate Party, even IP addresses.

In other words, all PII is personal data but not all personal data is PII.

Building a successful GDPR compliance program will require marketers and IT architects to move beyond the narrow scope of PII to consider the full range of personal data as defined by the EU.

Or yer might find yerself keelhauled by a court, matey.

This is the first in a series of occasional blog posts exploring key concepts behind GDPR.

By Jason Rose