Rolling in personally identifiable data? It's a bit of a minefield if you don't keep your feet

PII covers more than you think

IP addresses and device IDs like the Apple Identifier for Advertising or Google Android Advertising ID are considered PII, and thus GDPR encompasses more than many companies think.

Just wondering

Every now and then, El Reg sends me an email about a seminar or a white paper or something and I simply delete them, no worries. If I sent an email to you, asking you to stop this, would you be required to do so with all haste?

Article doesn't clear much up but muddies it further.

If anyone is using this article for their own research then I would recommend a lot of extra reading. For instance

"This said, though, explicit consent isn't always required. According to Article 6 of GDPR processing, PII is legitimate (albeit with a couple of caveats) if: "processing is necessary for the purposes of the legitimate interests pursued by the controller". If you want to buy something from my online store it would be daft if I was obliged to ask you explicitly for permission to use your card number to take payment and your address to post you the goods."

However the legitimate interests is a sub section 6(1)(f) and states ...

“processing is necessary for the purposes of the legitimate

interests pursued by the controller or by a third party, except

where such interests are overridden by the interests or

fundamental rights and freedoms of the data subject which

require protection of personal data, in particular where the data

subject is a child.”

The caveats are key as anything as absolutely necessary to function (e.g. not marketing) would not be in the interests of the data subject. The data collected and processed would need to be the absolute minimum with a clear assessment of why data was included. This section also does not apply to public bodies.

The actual sub section for dealing with a shop customer is 6(1)(b)

" processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;"

Which covers the minimum needed to capture customer data to make a sale. This may well stop shops asking for your address when buying over the counter for instance - also it should stop shops in airports requiring your boarding pass when you aren't buying duty free goods.

There are some critical issues relating to the GDPR that may make significant changes to the way companies operate. WIth the ruling that IP addresses can be PII, this can affect everything from weblogs, analytics and intrusion detection systems. It may be hard to justify intrusion detection as a legitimate interest if you have never had an attack but have been merrily hoovering up IP addresses of everyone who visits your website. Also call centres would no longer be able to automatically record calls apart from some industries which may have a legal obligation. They will have to give the caller an option at the beginning of the call, which will have to be auditable.

Also remember the actual bill has not yet been published so we only know the minimum that will be in the bill not all the clauses it will contain.

Anonymisation is not carte blanche to "go crazy". We need to be very clear what "anonymous" means in a GDPR regime. If there is a 1:1 mapping of cleartext data to masked data it is not anonymised. GDPR identifies this data as pseudo-anonymised and instructs it must be handled as fully fledged PII, due to the proven ease of reconstructing an identity from metadata.

Pre-aggregated, randomised or truncated data is anonymous. Hashed or encrypted data is not. It is pseudo-anomymised only. Pseudo-anonymisation can serve as a an element of defence in depth to support a legitimate purpose justification, but it does not absolve you of responsibilities.

"If I signed up to every data protection seminar invitation in my inbox I'd have no hours left in the day to work... or drink or sleep, for that matter. "

Sleeping wouldn't be a problem. As to drinking, clearly you need to be selective about the seminars you choose.

Footfall Data: no PII in it?

Let's say you use MAC addresses as the identifier for people moving round your store. It may be argued that a MAC address is associated with someone by virtue of the association of ownership of that device with that person.

So you anonymise that data: say using MD5 which people here are familiar with. So using MD5 to scramble the MAC address you might reasonably suppose that is anonymous enough for your purposes. It's a "trapdoor" code in the sense that it isn't easy to decode it back to one unique entity.

On future visits to your store, that "someone", though supposedly anonymous, is most clearly readily identifiable if they are carrying the same device. The MAC address is captured, converted to MD5 and aha, this person visited the store on 6th July 2017 and spent 13 minutes 24 seconds looking at thermal underwear (yes this is the UK, so a plausible scenario).

Is this kind of inference acceptable?

If our target visitor had shoplifted and got prosecuted for stealing thermal underwear on that visit, it would be tempting for Security to set a red flag whenever that device is recorded as entering the store in future.

How would you feel if that device were sold to a second hand shop in August, you bought it and were using it? How would you like a security guy to wink at you and comment that it is a bit chilly for this time of year, don't you think?

Ok I've rambled on a bit. What does GDPR make of all this?