Many businesses use personal information on their employees as well as customers, and new privacy laws are transforming the way this data is handled. It’s important to understand what types of data are personal information (PI) or sensitive PI to ensure compliance with new laws and to avoid unintentional breaches.
PI is defined in different ways according to privacy laws, but typically includes any information that can be used to identify a particular person. This includes names and identification numbers, contact information and IP addresses. Personal information can also include more subjective information, like opinions and personal views. It is important to note that not all information can be considered to be personal and data aggregation could reduce the possibility of identification re-identification.
Sensitive PPII is more protected than PI and may include information regarding a person’s race or ethnic origin, gender, sexual orientation, religion, or other beliefs. It can also include information on criminal convictions, health or medical information biometrics, financial records or other information relating to their occupation or job. It could also include information that could cause someone to feel embarrassed or hurt if misused.
As a rule, limit the amount of personal information you share with others. You should also think about implementing an information retention policy that restricts the amount of time you keep personal information for, and have an effective system to remove this information upon request. This will allow you to maintain CPRA compliance and help avoid potential fines.