If you’re a marketer worth your salt (and of course you are), you’re likely amassing tons of data, and, if you’re worth quite a lot of salt, you’re collecting and tapping into the right personal customer attributes to create engaging campaigns. You know the deal, and you have a next-level mastery of personalization and have perfected when to pepper in the data you’ve collected (name, age, gender, and language and events like purchase and browsing history) to craft meaningful customer-centric communications.
So how does the data you’ve been accumulating and including in your messaging relate to personally identifiable information (PII, in the United States)? The answer depends on who you ask.
Globally and in the U.S. there’s not one single entity or set of guidelines responsible for setting the definition for PII (or just personal information or personal data, outside the U.S.), but there are a few key players:
Distinguishing between the definitions and requirements for each of the above can be tricky and may very well be something that your team will need to decide upon based on your product or services and your intended methods of data collection and use for marketing campaigns. Below we’ve provided an overview of each to help kick start these important conversations.
For a flexible approach, consider the do-it-yourself, self-regulated standards of System and Organization Controls (SOC) Report 2, created by the American Institute of CPAs (AICPA) for service companies managing customer data, for which compliance is not a requirement.
PII Definition (SOC2)
AICPA’s SOC2 breaks down PII as any details that uniquely narrow in on a specific individual, namely their:
To keep individuals and their data safe SOC2 requires companies to put controls in place to ensure PII cannot be accessed by unauthorized parties. Recommended safeguards include:
For those in the highly regulated health industry, you’ll need to stick to HIPAA’s definition of PHI (protected health information, the patient’s version of PII) and requirements for compliance.
PHI Definition (HIPAA)
According to HIPAA, PHI includes:
Examples of PHI under HIPAA Include:
PHI Compliance (HIPAA)
Who must comply with HIPAA? Companies that are considered “covered entities,” including:
Health insurance companies (HMOs, company health plans, Medicare, Medicaid)
HIPAA also lays out what companies must do to protect PHI, including:
Change is coming: the E.U.’s General Data Protection Regulation (GDPR), effective May 2018 and replacing earlier EU regulations, is the biggest update to regulation of data privacy in the E.U. in the past 20 years.
Personal Data Definition (GDPR)
The GDPR spells out what it refers to as personal data as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.” Examples include an individual’s:
Personal Data Compliance (GDPR)
The big thing to note here is user agreements: They must be easy for your customers to access and understand. That means no more legal mumbo jumbo that people just scroll through. TL;DR is not acceptable.
When asking for customer consent, you must do so in plain language and it has to be just as easy for them to opt out of something as it is to opt into it.
For individuals under 16, parental consent will be required.
Other highlights include:
Companies that aren’t complying with the new guidelines could face steep fines: up to 4% of annual global turnover or €20 million.
Thanks! We'll be in touch shortly.