Issues raised by EU Privacy law

The geographic scope of EU Privacy law is now global.

  • applies to non-EU organisations that sell to, or monitor the online behaviour of EU citizens.
  • applies to non-EU organizations that process PII of EU citizens (SaaS, Cloud services).
  • governs the use of Personally Identifiable Information (PII) of EU citizens.
  • protects the PII of EU citizens, no matter where in the world the processing occurs.
  • applies to all organisations incorporated in the EU.
  • replaces and repeals the Data Protection Directive 95/46/EC.

The safest policy is to treat all EU Customer Data as PII

  • PII = “Personally Identifiable Information”
  • the definition of ‘personal data’ is very wide and has a low threshold.
  • data repositories that are indexed by a personal identifier (e.g. email address) are PII.
  • data that can be linked to repositories indexed by PII, also become PII (relational tables).
  • metadata, click behaviour, cookies with IDs, IP addresses should all be treated as PII.
  • under GDPR, pseudonymous records must be handled as PII.