How to protect PII under GDPR

The EU's General Data Protection Regulation requires companies to protect the privacy of their EU customers. That means keeping personally identifiable information (PII) safe. Here's what you need to know.

Personally identifiable information (PII) is any data that can be used to identify a specific individual. Social Security numbers, mailing or email address, and phone numbers have most commonly been considered PII, but technology has expanded the scope of PII considerably. It can include an IP address, login IDs, social media posts, or digital images. Geolocation, biometric, and behavioral data can also be classified as PII.

This broad definition of PII creates security and privacy challenges, especially when specific and stringent safeguards for it are spelled out in regulations such as the European Union’s (EU’s) General Data Protection Regulation (GDPR). It went into full effect May 25, 2018, and it impacts any company, worldwide, that processes or stores personal data of EU residents.

The new rules grant people more rights regarding how companies handle their personally identifiable information (PII), and it imposes heavy fines for non-compliance and data breaches--up to 4 percent of a company’s yearly revenue. The GDPR also requires that companies report data breaches within a 72-hour window. (See “General Data Protection Regulation (GDPR) requirements, deadlines and facts” for more specifics on the regulation.)

Even if you don’t do business with the EU, it’s likely to have impact on global security standards going forward. Consequently, companies working in the EU or with GDPR-impacted data are quickly trying to come into compliance ahead of time. For security teams, this means making sure that PII is adequately protected and that the proper reporting processes are in place.

As Brian Vecci, Technology Evangelist for Varonis says, “Most companies aren’t prepared at all. You’ve got companies sitting in the midwest of the United States, that because someone from the EU signed up for their newsletter, are suddenly subject to one of the most onerous privacy regulations ever. That’s what I so grand about the GDPR. It cuts across all verticals. It doesn’t just impact financial organizations, or hospitals. If you have PII from one of the 28 member states, then it impacts your organization.

For good or bad, GDPR does not define any specific data protection controls that an organization must follow. Each organization is allowed to determine, for itself, the necessary security controls for the collected data, confidentiality and risk.

Olivier Van Hoof, Pre-Sales Manager of Europe for Collibra says GDPR starts with data governance, “You’ve got to put a data governance platform in place before you can really begin to secure the data. It’s a lot more than just technically securing the data. Most organizations are beginning by looking at their business processes first, then looking at the logical processes that collect the data, and then to the physical data itself. GDPR is also about understanding that the data is really owned by the individual. You’re really just hosting the data.”

1 2 Page 1
Page 1 of 2
Microsoft's very bad year for security: A timeline