Nick Dedeke is a professor in the Supply Chain and Information Management (SCIM) Group at Northeastern University in Boston.
The European Union introduced the General Data Protection Regulation (GDPR) in May 2016 to grant users (also called data subjects) more control over their personal data, which is typically under the custody of data aggregators and/or data processors. After an initial period of introduction to the public and stakeholders, the law took effect on May 25, 2018, and the GDPR made several positive contributions to better regulate data protection. First, it expanded some existing rights, such as the subject's right to information, right to access, right to rectification, right to cancellation, and right to object. The GDPR also created new rights, such as the right to be forgotten, the right to portable data, and the right to restrict the processing of personal data. The GDPR also included several obligations that data controllers owe data subjects.
Second, the GDPR also introduced a notable extension to existing definitions of personal data. Currently, personally identifiable information (PII) includes data such as name, address, phone number, and email. Sensitive personally identifiable information (SPII) includes data such as social security numbers, driver’s licenses or state ID numbers, passport numbers, alien registration numbers, financial account numbers, and biometric identifiers. Some data become SPII when they appear with PII data. For example, data elements such as citizenship or immigration status, medical information, ethnic, religious, sexual orientation, or lifestyle information become SPII when they are linked to the identity of an individual.
Read 25 remaining paragraphs | Comments