The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients.
Question: Do personal data, personal information, and personally identifiable information mean the same thing?
Answer: Not necessarily. Only the term “personal data” is used within the GDPR. That term is defined as:
any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identify of that natural person.1
Although “personal information” and “personally identifiable information” are not terms that are officially used within the GDPR, given their similarity to “personal data,” and the fact that they impound certain words that are contained within the definition of “personal data” (e.g., “identifiable”) there is a tendency to use them interchangeably when speaking about the GDPR. The difficulty arises because those terms are defined within other legal systems, and their definitions do not match the definition of “personal data” used in the GDPR. For example, in the United States the term “personal information” is defined under several state statutes as referring only to name in combination with a small sub-set of data fields viewed by legislators as being particularly sensitive. For example, the state of Maryland defines the term as follows:
“an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable: (i) a Social Security number; (ii) a driver’s license number; (iii) a financial account number...; (iv) an Individual Taxpayer Identification Number.2
As a result, to avoid confusion – particularly when drafting multi-national contracts that may require compliance with the laws of both the European Union and the United States – it is always a good practice to define terms within the contract, or to consistently use the term “personal data” when referring to something within the scope of the GDPR.