PII is Ubiquitous, As is the Risk

PII is Ubiquitous, As is the Risk

Communication is a complicated and region-specific tool that allows people to understand one another. If one moves to a new area, the terminology can change, and if you go far enough language itself is radically different. The advent of technology has made a significant difference, however. Computers and IT are creating a more global community where people across the planet can be understood to each other with a minimum of steps. While this creates a wonderful situation for coming together, it also raises significant risks for personal information. If the data is readable to everybody, then if you lose control of it, the risk to your person becomes just as global. Each country and region has to address this situation in the way their people feel is best. For Europe, the answer was to create the General Data Protection Regulation, or referred to as the Regulation. It was created to strengthen and unify data protection for individuals living in the European Union, as well as address export of personally identifying information (PII) outside the EU.

Creating Law for Information

The regulation was created in order to provide a measure of control for citizens over their PII. While the EU cannot impose order on all data, those residents within its borders can be regulated and protected. Previously, a directive was in place for two decades that provided a guideline for how information was to be treated. As technology and data use has evolved in the interim, a new and far stronger regulation was required. Instead of a mandate that gave a minimum legal standard, the EU decided to make laws to protect its citizens. The regulation imposes a uniform data security law regime on all members of the EU, creating a standard and actionable practice on the handling of PII. Such applies not only to companies and processors of information within the EU, but also to people outside that area that handle PII for EU citizens. Essentially, if any company that provides goods or services to EU residents handles PII, they are subject to this regulation. Location of the company or processor is irrelevant, the citizenship of the EU member extends this protection. The scope of this document is massive, as the way it was drafted makes it a global initiative for their people.

The specifics of the regulation are not a total lockdown. Written for more modern times, it was created with the understanding of not only business, but also social media. Even without businesses or corporate entities, we share information constantly on social media and through communication such as emails or phones. The regulation was created to police the information and keep it safer with the individuals it represents. One aspect is the “right to portability,” article 18 of the regulation. This portion specifically covers and allows the transfer of information from one entity to another. For instance, a person wishes to change service providers and needs to transfer their PII. The individual also has the right to receive any personal data provided to a controller or processor via automated means. No speaking to a person should be required to receive your own provided information, and it must be available in a “structured and commonly used and machine-readable format.” This provides quick and easy access to your information virtually anywhere anytime.

When Protection Does Fail

How the data is handled is also of major concern. If a company processes or collects information that reveals a bevy of information, they must designate a data protection officer. This information can be collected from clients or customers, or can even be garnered from employees for human resources. Regardless of how it is gathered, or from whom, sensitive PII must be safeguarded. Some examples of this information are racial or ethnic origin, political opinion, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health or sex life, or sexual orientation. Any one of these data points can be dangerous to treat flippantly, thus an officer must be appointed. This individual must provide advice about and monitor compliance with the regulation. They also serve as the contact person for communications with relevant supervisors in case something goes wrong.

In the event of a breach of information, the regulation requires controllers of the information to notify the owner of that information within 72 hours of discovery. Said notification must describe the nature of the breach, what information may have been lost, and about how many people were affected. Additionally, the notice needs to include how to reach the appointed officer for that company, and measures the officer and company have taken to mitigate the situation. Internally, if a breach occurs, the officer must inform supervisors “without undue delay” to begin dealing with the situation efficiently. This is not without caveats, however. The controller of information does not have to provide notice if they have completed specific steps. Should the company have taken appropriate technical and organizational protection measures such as heavy encryption or some other means to make the information unreadable, and applied that to the affected data it would be safe. Next, the company must take measures to ensure this will not occur again, or disproportionate effort toward that goal. Breaches may not ever be completely removed as a risk, but a company can take significant steps to minimize them as well as the risk of data lost being used inappropriately.

Recent Posts