New privacy laws are changing the way companies handle personal information of their employees and customers. It’s crucial to understand what types of data are personal information (PI) or sensitive PI to ensure compliance with new laws and to avoid unintentional data breaches.
The term PI can be defined differently in different privacy laws. However generally, it refers to any information that could be used to identify a person. This can include name, contact details ID numbers, IP addresses, and other online identifiers. Additionally, PI could include subjective information, such as opinions and personal perspectives. It is important to note that not all information can be considered to be personal, and that data aggregation may reduce the chance of the re-identification of.
Sensitive PII tends to be more protected than PI, and may include information about a person’s race, ethnicity, sexual orientation, gender as well as other beliefs, religions or, criminal convictions and medical or health data, biometric data financial information, personal or employment-related information. Additionally, it could be information that could cause harm or embarrassment for an individual if it is misused.
As a rule you should only collect information about yourself that you actually need for your business operations, and limit the amount of information you provide to third parties. Think about implementing a program of data retention that restricts the length you keep personal information and a system for deleting it upon request. This will help to maintain CPRA compliance and reduce the risk of fines.
