What Is Personal Data?
Put simply, personal data is information that relates to 1. an identified or identifiable person or 2. an identified or identifiable legal entity (where such information is protected similarly as personal data under applicable data protection laws and regulations). While regulations use different terms with slightly varying definitions, “personal data,” “personal information,” and “personally identifiable information (PII)” are often used interchangeably.
Since there are various data privacy and protection laws that define how you can collect and handle an individual’s data, it’s crucial that you understand what information you need to safeguard as well as your compliance responsibilities.
In the rest of this post, we’ll help you do just that by guiding you through the regulatory landscape for collecting personal data.
What does personal data mean for the GDPR?
The GDPR defines personal data as follows:
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Who does the GDPR protect?
The GDPR intends to give E.U. residents more control over how organizations collect and process their personal data. These people are broadly referred to as “data subjects.” The GDPR has replaced some data protection laws across Europe with a single, binding framework for data privacy across the E.U.
Who needs to comply with the GDPR?
First and foremost, the GDPR regulates data controllers: organizations that decide how and why they’ll process personal data, compelling them to provide E.U. individuals with a variety of rights and consent opportunities. It also regulates the organizations that process data on behalf of controllers—also called data processors.
What does personal information mean for the CCPA?
The California Consumer Privacy Act (CCPA) regulates “personal information” and provides the following legal definition:
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
This can include online identifiers, photographs and sound recordings, as well as geolocation data.
Who does the CCPA protect?
The CCPA is the first comprehensive state statute in the U.S. intended to strengthen privacy rights and consumer protections. It allows California residents (or “consumers”) to discover and change how companies collect and profit from their personal information, providing these consumers with more transparency and actionable rights.
Who needs to comply with the CCPA?
The CCPA regulates for-profit organizations that do business in California and meet at least one of the following conditions:
- Has $25 million dollars or more in annual gross revenue
- Buys, receives, sells, or shares the personal information of at least 50,000 consumers, households, or devices
- Derives at least 50% of annual revenue from selling consumers’ personal information
While there are a few important points of difference between the GDPR and CCPA, including the depth of rights you need to provide to individuals, there is also considerable overlap. And since many global organizations will have to comply with both sets of legislation, it’s crucial to understand the full scale of your responsibilities.
What are the risks of mishandling personal data?
Mishandling personal data can lead to a variety of disciplinary actions and penalties, even if it happens unknowingly.
For example, there are a number of national data protection authorities in the E.U. that administer the GDPR, and each has the power to:
- Audit organizations suspected of violations
- Issue warnings and reprimands
- Ban organizations from processing data
- Suspend data transfers to third countries
- Order the deletion of data
Organizations also face fines should they infringe upon the GDPR’s requirements or cause a personal data breach. The GDPR sets a maximum fine of €20 million or 4% of a company’s global annual revenue – whichever is greater – though the exact penalty depends on the nature of each violation.
Right now, the CCPA has a narrower spectrum of sanctions and enforcement measures. California’s Attorney General can issue fines up to $7,500 per intentional violation, and up to $2,500 otherwise.
This is set to change, however, as the approval of the Privacy Rights and Enforcement Act Initiative—a ballot proposition that was passed during the 2020 general election—updates the CCPA with new commitments to law enforcement. Notably, this involves the creation of the California Privacy Protection Agency: a body with the power to investigate potential non-compliance cases, issue injunctions, apply fines, and bring civil actions to collect unpaid fines.
How to comply with the GDPR and CCPA
While the GDPR and CCPA apply to individual organizations in different ways, taking the following steps will help you to comply with both sets of legislation when it comes to personal information:
- Audit your information—know what data you process, who has access to it, and know your legal justification.
- Encrypt, pseudonymize, or anonymize personal data where possible.
- Store data for only as long as it fulfills its purpose.
- Build awareness around data privacy and security, appointing people around your organization to take ownership of compliance.
- Have a process in place to notify authorities and the relevant data subjects if a data breach occurs.
- Make it easy for individuals to request and receive information about their rights and the data you have about them.
- Clearly communicate that people can correct, update, and request the deletion of their data.
- Invite people to opt in or out of your data collection processes, where appropriate.
Laws and regulations regarding data protection are constantly evolving, but acting now to create sustainable processes for data privacy will improve your organization’s response to developments down the road.
While this article discusses certain legal concepts, it does not constitute legal advice. It is provided for informational purposes only. For legal advice regarding your organization's compliance needs, please consult your organization's legal department. Okta makes no representations, warranties, or other assurances regarding the content of this article. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.