GDPR

What is personally identifiable information (PII)? How to protect it under GDPR

The EU's General Data Protection Regulation requires companies to protect the privacy of their EU customers. That means keeping personally identifiable information (PII) safe. Here's what you need to know.

Personally identifiable information (PII) is any data that can be used to identify a specific individual. Social Security numbers, mailing or email address, and phone numbers have most commonly been considered PII, but technology has expanded the scope of PII considerably. It can include an IP address, login IDs, social media posts, or digital images. Geolocation, biometric, and behavioral data can also be classified as PII.

This broad definition of PII creates security and privacy challenges, especially when specific and stringent safeguards for it are spelled out in regulations such as the European Union’s (EU’s) General Data Protection Regulation (GDPR). It goes into full effect May 25, 2018, and it impacts any company, worldwide, that processes or stores personal data of EU residents.

The new rules grant people more rights regarding how companies handle their personally identifiable information (PII), and it imposes heavy fines for non-compliance and data breaches--up to 4 percent of a company’s yearly revenue. The GDPR also requires that companies report data breaches within a 72-hour window. (See “General Data Protection Regulation (GDPR) requirements, deadlines and facts” for more specifics on the regulation.)

Even if you don’t do business with the EU, it’s likely to have impact on global security standards going forward. Consequently, companies working in the EU or with GDPR-impacted data are quickly trying to come into compliance ahead of time. For security teams, this means making sure that PII is adequately protected and that the proper reporting processes are in place.

As Brian Vecci, Technology Evangelist for Varonis says, “Most companies aren’t prepared at all. You’ve got companies sitting in the midwest of the United States, that because someone from the EU signed up for their newsletter, are suddenly subject to one of the most onerous privacy regulations ever. That’s what I so grand about the GDPR. It cuts across all verticals. It doesn’t just impact financial organizations, or hospitals. If you have PII from one of the 28 member states, then it impacts your organization.

For good or bad, GDPR does not define any specific data protection controls that an organization must follow. Each organization is allowed to determine, for itself, the necessary security controls for the collected data, confidentiality and risk.

Olivier Van Hoof, Pre-Sales Manager of Europe for Collibra says GDPR starts with data governance, “You’ve got to put a data governance platform in place before you can really begin to secure the data. It’s a lot more than just technically securing the data. Most organizations are beginning by looking at their business processes first, then looking at the logical processes that collect the data, and then to the physical data itself. GDPR is also about understanding that the data is really owned by the individual. You’re really just hosting the data.”

What does GDPR mean by “personal” data?

The definition of personal data under the GDPR is very broad, far more so than most other country’s current or previously existing personal data protections. It includes any information relating to a specific individual, whether that data is private, public, or professional in nature. It applies not only to names, addresses and financial information, but anything that could identify an individual (e.g., IP addresses, logon IDs, biometric identifiers, geographic location data, video footage, customer loyalty histories, social media posts and photos). If it is identifiable to a specific individual, it’s included.

The impact of the GDPR means that you not only are going to have to protect more types of data in the future, but expend more effort in identifying existing data that perhaps wasn’t considered PII before. Vecci says, “Before even if you had PII from one of the EU states, what you had collected might not have been considered PII in that country. Now, all of sudden starting in May, it is PII.”

GDPR-impacted companies will need to identify, to the best of their abilities, information that was not tracked or indexed before. For example, a recorded customer support call may need to be located, protected, tracked, and reported.

What are the new user rights for PII?

Documented “opt-in” consent must be given for every person (or their legal guardian). The consent must explicitly identify the data collected, what it is used for, and how long it will be kept. Further, participants can remove their consent at any time and request that their personal data be deleted (as long as they supply one of the approved reasons).

Under the GDPR, individuals may also control what happens with their PII. Besides the ability to request that it be deleted, they can get factual errors corrected, see what data of theirs is stored, and even export it for their personal review and use. These important rights are net new for most organizations.

Vecci sees most companies initially just trying to understand how big of an GDPR issue they have. They don’t know what they don’t know. They need to find out where the data is stored and whether it is covered by GDPR. Then they have to least-privilege protect it and track it. Luckily, my company Varonis has been doing exactly that since the beginning. We specialize in not only finding the data, but determining who has access to what, and whether they need access to the data. With other data protection regulations it was enough to keep the data safe from the outside. Now it has to be better secured on the inside, because Article 25 of the GDPR says the data has to be least privilege protected by design and by default. And you can’t do that without first understanding where it is and who can access it.”

Can hackers exploit GDPR rules around PII?

Yes! Security researcher and Oxford University student James Pavur demonstrated at the recent Black Hat conference how he was able to gather his fiance's PII from multiple organizations using GDPR requests (with her permission).

This bit of social engineering proved effective and not very challenging for Pavur. Of the 150 GDPR requests sent, 24% of the organizations accepted his fiance's email address and phone number as proof of identity. He was able to get her social security number, credit card number and expiration date, account passwords, date of birth, and mother's maiden name--enough to do some real damage.   

How does the GDPR affect the structure of security teams?

The GDPR defines multiple roles with rules and responsibilities for each role. A data subject is an individual whose personal data is being collected. A data controller is the organization that collects the data. A processor is an organization that processes the data on behalf of a data controller. Controllers and processors must maintain written records of what data was collected, how it was appropriately collected, how it was used, and when it was disposed of.

Although great for data subject’s control and privacy, most companies do not already have these types of data protection tracking systems. Security teams will have to not only protect the data against traditional threats, but do so in a way that is transparent, documented, and retrievable to possibly large numbers of data subjects, all while maintaining strong security of the data. Every computer security team member will have to be trained in GDPR compliance and what it means to the organizations existing and future security controls.

Many of the participating enterprises, private and public, must have an official data protection officer (DPO). The DPO is a key figure in not only maintaining legal compliance to the GDPR, but needs the technical knowledge or staff to secure data and ensure business continuity. The DPO is expected to operate independent of the organization that employs him or her.  The EU felt the DPO position was crucial enough that they issued a separate, more detailed 18-page document about the position.

The DPO position might seem a natural fit for a CSO, and it might be. CSO’s are certainly familiar with technical computer security requirements and controls, as well as interfacing with top management. But a DPO has to have a strong understanding of privacy and compliance requirements, which is typically better understand by chief privacy officers (CPO) or other privacy advocates. On the other hand, privacy officers may not understand the technical side of things. Smaller businesses, with much smaller management teams, may end appointing the employee with the “best fit”, like a comptroller, or even choose an external DPO, which may or may not work with other companies, as well. In all cases, the GDPR requires that the DPO be an independent auditor of compliance and be directly accessible to the data subjects, the complying organization, and GDPR supervisors. When data is collected from the subject, the contact details of the entity’s controller and DPO must be given.

Van Hoof says, “Most large European companies have already hired DPOs, but I’ve seen outsourced DPOs or shared DPOs by smaller and medium-sized businesses.”

Data protection and processing records must be kept and made available for routine and regular inspection, not only by auditors, but by individual data subjects. How will a complying entity ensure that the records are available for individual private inspection, while at the same time kept secure from unauthorized viewers? Will each individual subject require a new identity management tracking and access control system, for what could be potentially millions of data subjects? Probably, at the very least. Or could an organization meet the GDPR requirements by simply printing out an individual’s records and mailing a hard copy to them? These are the important details the DPO, management and security team must work out.

[Related: What are the GDPR requirements?]

National data protection authority

Each participating country (also known as a member state) has a national data protection authority (DPA). DPAs are responsible for determining compliance and enforcing relevant laws at a national level, but are required to be very independent, even of their nation’s own government control. Tricky stuff.

Member states may have one or more national DPAs for complying entities to choose. Each entity can choose one DPA, which regulates GDPR compliance for the entire entity, regardless of how many member states the company operates in or derives its data from (something known as “one-stop-shop”). The “lead supervisor authority” has the ability to control data processing and protection happening in other member states. Some critics correctly note that companies operating in multi-member states may shop for the most flexible DPA with which to operate, much like they already do for lower taxation and organizational independence today.

Some experts aren’t sure how much benefit would be gleaned by “DPA shopping”. Van Hoof says, “You’re going to see a lot of coordination and communication among DPAs from the different countries. Although there are going to be some differences among DPAs in each country because of their local laws and regulations, 95 percent of what they do will be general and the same no matter what country.”

DPAs were established under a previous EU data protection law, but significantly strengthened under the GDPR. The DPAs are essentially the official regulators, and police in the GDPR scheme. The DPA helps decide on matters of law, and it can investigate companies for potential violations and hold controllers or processors legally responsible for GDPR violations and assess penalties. It also decides if an entity can transfer data outside of the EU, and if so, what protections must be applied. For a particular organization, their DPO is likely to be the primary contact to the DPA and vice-versa. Because of the inherent responsibilities, both the DPO, and especially the DPA, are likely to be composed of teams of people and not a single person.

If a data subject feels a violation has occurred they can contact either the DPO or DPA, which was selected by the involved company and communicated to the subject. This can be awkward in practice, as a controller’s or processor’s DPO or DPA may not be in the same country or speak the same language, as the subject.

Data breaches must be reported quickly

Personal data breaches (including theft, data loss, destruction, or adulteration) must be reported immediately, or at least within 72 hours, to the lead supervisor authority (i.e., DPA). The impacted individuals must be notified if an adverse impact is expected. However, if the data is appropriately encrypted or anonymized, and that ultimate protection has not been breached, then the individuals do not have to be notified.

1 2 Page 1
Page 1 of 2
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!