Not speaking about GDPR, but your post is triggering me (my issue, not yours).
Here’s what is crazy to me about employee PII (personally identifiable information) being considered sensitive.
Say in a well designed system you can audit who made each change or the last change to each business record. As an example, each database table has a login ID of who modified the last record/row most recently.
Now every single such table is polluted with PII?
I get having a list of all the places where personal data is stored, but some people think we need a list of all the places a pointer to personal data is stored (ie an identifier that enables linking; that is what “PII” literally means) and that is just such a bigger dataset I don’t think it is appreciated how deep the rabbit trail goes applying policy to technology.
Every email in an organization contains PII and every system emails can get saved and attached to.
Back to your comment, does GDPR require just listing the personal information locations, or also the (PII) identifiers to it? Is a name alone considered personal information (if I sign my emails with my name does that go on the list and if so, can companies just declare huge subsystems as having personal information?)
Here’s what is crazy to me about employee PII (personally identifiable information) being considered sensitive.
Say in a well designed system you can audit who made each change or the last change to each business record. As an example, each database table has a login ID of who modified the last record/row most recently.
Now every single such table is polluted with PII?
I get having a list of all the places where personal data is stored, but some people think we need a list of all the places a pointer to personal data is stored (ie an identifier that enables linking; that is what “PII” literally means) and that is just such a bigger dataset I don’t think it is appreciated how deep the rabbit trail goes applying policy to technology.
Every email in an organization contains PII and every system emails can get saved and attached to.
Back to your comment, does GDPR require just listing the personal information locations, or also the (PII) identifiers to it? Is a name alone considered personal information (if I sign my emails with my name does that go on the list and if so, can companies just declare huge subsystems as having personal information?)