Privacy, PII, Europe and your business

25th May 2018 – a date to remember, as this is when the EU General Data Protection Regulation comes into full force. After that date any business, to which the regulations apply, could face fines up to 4% of worldwide turnover or 20 million Euro, which ever is the greater.

Now you may be wondering what this has to do with you? Well, quite a lot of businesses will be impacted by this, as the triggers for the regulations applying are as follows:

  • You hold PII data on EU citizens
  • You have an ‘establishment’ in EU

These two triggers are quite subtle in their intent, the first one says nothing about ‘where’ the PII data on EU citizens is held, it could literally be anywhere on the planet (or beyond..). Also note it refers to EU Citizens, not that they actually be ‘in’ Europe at the time, dual passport holders not resident could be in scope…

The second requires you to have an ‘establishment’ – now this is not strictly pinned down in any one place as far as I can see, but the GDPR FAQ offers an indication of the ‘intent’:

The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

So if you happen to manipulate PII data of a EU citizen, regardless of their current location or your location – you are likely to be in scope of this legislation…

Now, it may be that this needs to be tested in the courts a few times before we get to a better scoped understanding of which businesses fall into it, but I would consider it wise for now to consider yourself in scope if you meet the above requirements.

Important Note: There is no lower limit on the size of the business that is in scope, so startups and small businesses that provide services into Europe and deal with EU PII data are clearly in scope. All that changes is the degree of effort or commitment under the legislation that needs to be maintained over time.

Outsourcing and Privacy

Something else you need to be very aware of is if you have a third party processing your data (say an online accountancy package, a mailing service or a CRM) they need to be compliant as well. The responsibility rests with you as the data ‘owner’ to see that whoever processes the PII data is doing so in accordance with the regulations. You cannot just ‘throw’ the data to someone else online and wash your hands of your liability…

Similarly if you operate an online service and just say you are compliant when in fact you aren’t, your customers have every right to sue you for misrepresentation if the EU GDPR comes knocking, so not only will you get the fine by proxy, you will likely get damages as well… Plus there is all the data you keep on your employees (any from Europe?).

What is this PII?

PII (Personally Identifiable Information) is information that pertains to the person and is personally sensitive in nature and relates their private, professional or public life – i.e. you don’t want it getting into the public domain or you want to retain a degree of control over who has it and how it is used.

The GDPR FAQ gives the following examples of PII data:

  • name,
  • photo,
  • email address,
  • bank details
  • posts on social networking websites,
  • medical information,
  • computer IP address

Note: Its the combination of these as associated to the ‘Data Subject’ (EU Citizen) that determines its PII nature – so storing a computer IP address without knowing ‘who’ it is on the other end is not PII. We will touch some more on this later.

Help! the EU GDPR has me in its sights!

First off, don’t panic, it won’t help. Remember, as of the date of this post, you have just over one year to get your PII ducks in a line.

Secondly, EU GDPR is currently the tip of an iceberg of Privacy regulations either coming into force or being considered to come into force from other countries or regions. The whole privacy regulations space is evolving rapidly, so chances are if you do what is required to meet the EU GDPR, meeting everything else should be a lot easier.

Basically use the fact you need to be compliant with the EU GDPR to do your privacy changes well enough to weather the changes coming down the line. Plus, in my experience, you will be wanting to deal with this sooner rather than later, in case the unexpected creeps out of the woodwork.

Some simple things you can do now..

First off work out exactly where you have PII data in your systems and where you are storing it. Remember it could be hiding out in all sorts of places:

  • text files, spreadsheets, word documents, presentations, etc
  • databases
  • backups
  • log files
  • print outs
  • photos
  • etc

I would suggest once PII data is found, ask yourself: Do I really need it to be there? If you can delete or ‘mask’ PII data out of a system or process, that is one less part which you have to worry about – also data you do not have or keep is very secure!

BTW Masking of PII data is where you manipulate it in such a way that it is no longer possible to use it to refer back to the individual concerned.

Secondly, I would educate key staff on what Privacy and the EU GDPR means to your business – pointing them to this post would be a good start.

Thirdly, use any suppliers or online services? It is likely they need to be compliant as well – pointing them to this post as well would be helpful.

Fourthly, get in touch on our contact form – we have direct experience dealing with privacy regulations and helping businesses become compliant through appropriate changes to their systems.


The following two tabs change content below.


Director at Aykira Pty Ltd
Keith is a founder of Aykira & has over 18 years experience with everything Internet. From eCommerce to security, mobile to maps; large or small. PhD in Info Systems, member Australian & British Computer Society's, ex Yahoo. Architect/Engineer/Innovator.