If you’re a marketer worth your salt (and of course you are), you’re likely amassing tons of data, and, if you’re worth quite a lot of salt, you’re collecting and tapping into the right personal customer attributes to create engaging campaigns. You know the deal, and you have a next-level mastery of personalization and have perfected when to pepper in the data you’ve collected (name, age, gender, and language and events like purchase and browsing history) to craft meaningful customer-centric communications.
So how does the data you’ve been accumulating and including in your messaging relate to personally identifiable information (PII, in the United States)? The answer depends on who you ask.
PII (Personally Identifiable Information) Definitions, Examples, and Compliance
Globally and in the U.S. there’s not one single entity or set of guidelines responsible for setting the definition for PII (or just personal information or personal data, outside the U.S.), but there are a few key players:
- The System and Organization Controls (SOC) Report 2 created by the American Institute of CPAs (AICPA) offers parameters and advice for service organizations and is self-regulated.
- Health Insurance Portability and Accountability Act (HIPAA) requirements are a must-follow when it comes to protected health information (PHI) in the U.S.
- The E.U.’s General Data Protection Regulation (GDPR) is another must-follow, specifically for businesses that offer goods or services to or monitor the behavior of individuals in the EU (regardless of which country they operate in), effective spring of 2018.
Distinguishing between the definitions and requirements for each of the above can be tricky and may very well be something that your team will need to decide upon based on your product or services and your intended methods of data collection and use for marketing campaigns. Below we’ve provided an overview of each to help kick start these important conversations.
For a flexible approach, consider the do-it-yourself, self-regulated standards of System and Organization Controls (SOC) Report 2, created by the American Institute of CPAs (AICPA) for service companies managing customer data, for which compliance is not a requirement.
PII Definition (SOC2)
AICPA’s SOC2 breaks down PII as any details that uniquely narrow in on a specific individual, namely their:
To keep individuals and their data safe SOC2 requires companies to put controls in place to ensure PII cannot be accessed by unauthorized parties. Recommended safeguards include:
For those in the highly regulated health industry, you’ll need to stick to HIPAA’s definition of PHI (protected health information, the patient’s version of PII) and requirements for compliance.
PHI Definition (HIPAA)
According to HIPAA, PHI includes:
- Past, present, or potential future physical or mental health information, including treatment and payments for healthcare, as well as any identifying information associated with this health information
Examples of PHI under HIPAA Include:
PHI Compliance (HIPAA)
Who must comply with HIPAA? Companies that are considered “covered entities,” including:
- Health insurance companies (HMOs, company health plans, Medicare, Medicaid)
- Health care providers (doctors, clinics, specialists, pharmacies)
- Health data companies
- Companies and individuals that provide services to any of the above, such as billing companies, lawyers, accountants, IT teams
HIPAA also lays out what companies must do to protect PHI, including:
- Putting procedures in place to limit who can view and access patient health information
- Training employees about how to protect PHI
- Having safeguards to protect PHI and ensure it is not disclosed improperly
- Using health information for marketing purposes only upon receiving patient permission
At a glance
Change is coming: the E.U.’s General Data Protection Regulation (GDPR), effective May 2018 and replacing earlier EU regulations, is the biggest update to regulation of data privacy in the E.U. in the past 20 years.
Personal Data Definition (GDPR)
The GDPR spells out what it refers to as personal data as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.” Examples include an individual’s:
Personal Data Compliance (GDPR)
The big thing to note here is user agreements: They must be easy for your customers to access and understand. That means no more legal mumbo jumbo that people just scroll through. TL;DR is not acceptable.
When asking for customer consent, you must do so in plain language and it has to be just as easy for them to opt out of something as it is to opt into it.
For individuals under 16, parental consent will be required.
Other highlights include:
- Breach notifications: in instances where there’s a risk to the rights and freedoms of individuals, breaches must be announced within 72 hours of being detected
- Rights to access: customers have the right to know what, if any, of their personal data is being processed and to be able to get a copy of said data, free of charge
- Right to be forgotten (aka “data erasure): The famous example of this is Google having to scrub its search engine results of certain information for individuals. Thanks to this right, individuals are entitled to have their personal data erased and no longer distributed or processed.
- Data portability: This is the right for individuals to obtain their personal data in digital formats from companies.
- Privacy by design: The central idea here is that individual data protection should be core to designing systems, such as app permissions, email captures, and so forth, rather than adding them on as an afterthought.
Companies that aren’t complying with the new guidelines could face steep fines: up to 4% of annual global turnover or €20 Million.