What is personal data?

As technology continues to advance and becomes more ingrained in our daily lives, the separation between the digital world and the physical is only blurring more and more. We carry computers in our pockets, speak to artificial intelligence in our homes, and share data from our phones about our location, behavior, and activity. With all this potentially sensitive information exchanging hands, it’s important to know how much of your—and your customers’—information is out there and how to protect it in a data-saturated world.

Understanding the definitions of and differences between data types is an essential part of this data-mapping process. Identifying and locating sensitive data begins by knowing what to look for, but there’s a tremendous amount of overlap with these terms. Their naming conventions often differ depending on the regulation or legislation being considered, and some data can qualify as multiple data types—only adding to the existing confusion surrounding them.

For example, cardholder data (CHD), as it’s referred to in the Payment Card Industry Data Security Standard (PCI DSS), is also known as payment card information (PCI) and payment data elsewhere, and what the European Union’s General Data Protection Regulation (GDPR) considers personal data can also be personally identifiable information (PII), nonpublic personal information (NPI), or personal health information (PHI), depending on what's being referenced and how it's being used.

However, just because these terms overlap does not necessarily mean they are interchangeable. In fact, many times they are not. For instance, an individual’s name could be considered both cardholder data and personally identifiable information, but a credit card expiration date could not. Here's a breakdown of how some of the more common data regulations define relevant data types.

Common Data Types Defined

Regulation Term Definition
Australian Privacy Act Personal Information Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
CCPA Personal Information Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
GDPR Personal Data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Gramm-Leach-Bliley Act Nonpublic Personal Information • Any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application);
• any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
• any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).

NPI does not include information that you have a reasonable basis to believe is lawfully made "publicly available." In other words, information is not NPI when you have taken steps to determine:
• that the information is generally made lawfully available to the public; and that the individual can direct that it not be made public and has not done so.
HIPAA Protected Health Information Information, including demographic information, which relates to:
• the individual’s past, present, or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.
PCI DSS Cardholder Data At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code
Privacy Act of 1974 Personally Identifiable Information Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.

As you can see in the table above, the designation for a given piece of data often relies on which regulation it is subject to, and in some cases, such as with "personal information," the same term can be used to define slightly different data types. 

Personal Data and GDPR

Because of its broad interpretation, personal data is an often misunderstood term. It’s at the center of the GDPR, which defines it as any information “related to an identified or identifiable natural person.” The natural person portion is particularly important here in how it relates to another key term, data subject. In order for data to be considered personal data, it needs to be associated with a data subject, or “an identifiable natural person.” This may seem obvious, but it’s crucial in determining what is and isn’t personal data. In short, if the information can be tied back to a real person, it’s personal data.

Under the GDPR, this information must be protected in accordance with its established guidelines. Organizations found to be noncompliant can face penalties including fines of up to 4 percent of the company’s annual turnover or €20 million—whichever is greater. What’s more, these regulations don’t apply solely to companies in the EU—any entity operating in EU territories or collecting the personal data of EU citizens is subject to GDPR compliance.

Thus, understanding the definition of personal data, how it fits within the GPDR, and how to meet the relevant compliance obligations is critical in protecting your organization and your customers’ data. For more information about GDPR and privacy compliance, check out our ebook here, or reach out to us at info@tokenex.com to learn how we can secure and desensitize any data set to help our customers meet industry and regulatory compliance standards.

Topic(s): GDPR , privacy

Keep Up With Our PCI & Privacy Blog