Business Guide: Handling PII and Sensitive Personal Data Under the GDPR and CCPA

Batja Huisman
5
min read

Regulations like the European GDPR and Californian CCPA require businesses to take on a prominent role in managing and securing their customers’ personal data and PII. But between the legal jargon, a plethora of online sources, and the endless number of tasks to complete every day, business owners can be left baffled.

To help you navigate the steps your business should take, we have created this short guide for handling personal and sensitive data under the GDPR and CCPA.

Sensitive Personal Data and PII Under the GDPR and CCPA

Disclaimer: the following guide is not to be used for any legal purposes and was not created by legal professionals.

What is PII and Personal Data?

PII (Personally Identifiable Information) is any information that can be used to identify or trace an individual. This includes information like social security numbers, driver's licenses, bank accounts, addresses, places of birth, medical information, and more. This term is commonly used in the US.

In Europe, and specifically under the GDPR, the term “personal data” is more often used. “Personal data” covers all characteristics of PII, alongside online identifiers. This means that data like cookies and browser history are also considered personal data.

Why Does PII Matter in Privacy and Data Protection?

Protecting PII is important to ensure the safety and protection of individuals. Compromised PII and personal data can be used for fraud, identity theft, extortion, or manipulation. In December 2021, for example, Superior Plus Energy Services identified a data breach, and personal information was compromised. Individuals whose information was stolen were notified and were provided with two years of complimentary credit monitoring and identity theft protection insurance, and restoration services.

For businesses, protecting personal data is important to build trust with customers and also to avoid fines. GDPR, for example, harshly penalizes those who violate its privacy and security standards. Under the GDPR, companies must be able to demonstrate the legal basis for collecting and processing users’ personal data, and data breaches have to be reported to authorities within 72 hours of  becoming aware of it. Otherwise, penalties can reach up to 4% of a company’s annual global revenues or 20 million euros ($22.8 million), whichever is higher.

How to Handle Sensitive and Personal Data Under GDPR and CCPA

Two of the leading global regulations for protecting personal data and PII, the GDPR and CCPA, state clear business requirements for handling personal data. Here are the actions businesses should take to comply with each one.

GDPR Definitions and Requirements when Handling PII and Sensitive Personal Data

The GDPR (General Data Protection Regulation) is considered the strictest global privacy and security regulation. Applying to all organizations that target or collect data related to people in the EU. According to the GDPR, personal data is considered any data that can be used to identify an individual, directly and indirectly. This includes names, email addresses, gender, biometric data, location, political opinions, cookies, and more.

Under the GDPR, businesses are required to protect the data they collect by:

  • Applying security technical and organizational measures - like MFA, encryptions, and employee training
  • Getting the subject’s unambiguous consent for gathering the data (or processing data based on a lawful basis) - you can use a form, an opt-in box, have them reply to an email, etc.
  • Ensuring data is gathered and stored only for legitimate reasons - set up clear procedures and processes
  • Storing the minimum amount of data required for a minimum amount of time (data minimization) - make sure you only gather info relevant to your business
  • Keeping the data up-to-date and accurate - review data periodically and create an updating mechanism and retention. If you can’t verify the data, it might be time to delete it.
  • Enabling individuals to delete their personal data or withdraw consent - you can create an electronic form, a landing page or set up a dedicated email address
  • Appointing a DPO (Data Protection Officer) - for organizations whose core activities requires processing data at large scale
  • Maintaining detailed documentation of collected data and how it is used including article 30’s ROPA report

CCPA Definitions and Requirements when Handling PII and Sensitive Personal Data

The CCPA (California Consumer Privacy Act of 2018) is a regulation intended to provide Californian consumers with control over personal information that businesses collect on them. The CPRA (California Privacy Rights Act) is an amendment to the CCPA, approved in November 2020 and becoming effective in January 2023.

According to the CCPA, personal information is any information that can be related to an individual or their household. Like the GDPR, this includes names, social security numbers, browsing history, biometric data, and more. It also includes business information, like purchased products.

Under the CCPA, businesses are required to protect the data they collect by:

  • Giving consumers notices that explain their privacy practices - provide information before collecting personal information
  • Providing customers with information about which data is collected and how it is used - you can provide the info on your website or by email
  • Enabling individuals to delete data or opt-out of data collection - businesses are required to include the "Do Not Sell My Personal Information" link on their homepage and any page where personal info is collected

In addition, businesses are not allowed to discriminate against customers for exercising CCPA rights. As can be seen, CCPA is less detailed about the required practices and less stringent in its requirements.

Next Steps For Your Business

It can be very challenging to keep track of all the data you are collecting, using, and sharing, to ensure you’re complying with all the regulations and their requirements. To properly manage your customers’ personal data and PII, you need to first gain an understanding of which data you are storing, and where. Getting an automated data mapping solution for your company is a great step in that direction.

Automated data mapping will allow you to track and reveal all your data sources, so you can continuously map them and gain automated insights. These insights will help you identify potential compliance and security threats so you can take the needed actions as required by GDPR and CCPA.  

Replace your spreadsheets and never lose track of your data with Mine’s automated data mapping that reveals up to 100% of your data sources and allows you to easily create ROPA reports.