The geographic scope of EU Privacy law is now global.
- applies to non-EU organisations that sell to, or monitor the online behaviour of EU citizens.
- applies to non-EU organizations that process PII of EU citizens (SaaS, Cloud services).
- governs the use of Personally Identifiable Information (PII) of EU citizens.
- protects the PII of EU citizens, no matter where in the world the processing occurs.
- applies to all organisations incorporated in the EU.
- replaces and repeals the Data Protection Directive 95/46/EC.
The safest policy is to treat all EU Customer Data as PII
- PII = “Personally Identifiable Information”
- the definition of ‘personal data’ is very wide and has a low threshold.
- data repositories that are indexed by a personal identifier (e.g. email address) are PII.
- data that can be linked to repositories indexed by PII, also become PII (relational tables).
- metadata, click behaviour, cookies with IDs, IP addresses should all be treated as PII.
- under GDPR, pseudonymous records must be handled as PII.