Explaining the GDPR to an American

Here’s a good explanation of how the GDPR views personal data vs. how companies & schools have traditionally thought of personal data. From the article…

First, we need to get used to the term “personal data” instead of “PII” (personally identifiable information). Personal data is much broader than PII — it applies to anything that can be used to identify a person.

Next, it’s important to flip the view you might have of personal data the company collects as belonging to the company. Instead think of it as belonging to the person it identifies. The consumer [or visitor] is, you might say, giving us a license to use their personal data. You may then be ready to try to grasp a core value of the GDPR: “Natural persons should have control over their own personal data.”

This reflects a key public policy that data belongs to the person it identifies, and that the person has a right to control how it is processed. This means when customers share their data with us it is not ours, but rather theirs, at least as the European Union sees it and as reflected in the GDPR.

Appears in …