Personal Customer Journey: But in Compliance With Data Protection

Many companies store and process their customers' data. But how can it be ensured that this is done in a legally compliant manner? Details in the blog.

Jan 3, 2023 - 3 min.

The nightmare scenario for many companies: hackers have managed to encrypt and steal personal data after mounting a successful cyberattack. These types of data breaches are frequent. Sometimes they are discovered by IT managers, and other times, they remain undetected. Companies can pay dearly for a cyberattack of this sort. In addition to financial losses, their reputation with customers, business partners and the general public is seriously damaged. On the other hand, strict regulations govern how these companies must process the relevant data, such as personally identifiable information (PII) or personal data. Companies face a double challenge: they must protect data against hackers on the one hand while also guaranteeing privacy-compliant storage and processing on the other. Read on to learn how companies can still guarantee their customers a seamless customer journey:   

Definition of personally identifiable information (PII)

Personally identifiable information is all data that can be used to identify a specific person definitively. General examples of this include tax identification numbers, bank data, IP addresses or other identification numbers. 

The category of PII can also be broken down into sensitive and non-sensitive information. Non-sensitive information about a person does not cause them any immediate harm if it falls into the 'wrong hands'. Examples of this type of data include all publicly accessible information, such as corporate directories, telephone books and websites. Usually, this kind of data can also be transmitted and stored without encryption. 

It's a different story regarding sensitive data in the area of PII. This data can cause harm to a person if it is revealed. Such data should, therefore, always be encrypted – which applies both to the transmission and storage of this information. This includes biometric features, information from the medical area and other unmistakable data. 

Similarly, the National Institute of Standards and Technology (NIST) also distinguishes between the two categories of PII. For instance, there is linkable information that can only identify a person when combined with other additional information. Examples include gender, ethnicity, job and position or common first names such as 'John'. 

Linkable data, on the other hand, is regarded as sensitive and unique information. It includes information such as social security numbers, bank data or cookies. 

Data that cannot be used to identify a person is classified as Non-PII uniquely and, therefore, the opposite of PII. This can include anonymized statistics on the use of products and services or (partially) masked IP addresses, for example. 

However, the distinction between PII and Non-PII is not always clear – and boundaries can become blurred. Within the European Union, however, this contradicts the relevant regulations about personal data in the GDPR. 

The most important regulations regarding personal data

Personal data is defined by the GDPR and is, therefore, a legal term. According to Art. 4 No. 1 of the GDPR, all data that refers to and can identify a natural person is classified as personal data. Unlike linked or linkable information, the regulation in the GDPR makes no such differentiation: all data that identifies a person directly or indirectly is personal data and, therefore, worthy of protection. 

This means that personal data includes any data that provides an insight into the physical, physiological, genetic, mental, economic, cultural or social identity of natural persons. However, metadata can also fall into this category. For example, a person's route to work can be used to deduce the radius within which they live. 

The GDPR also stipulates that every company that processes data, directly and indirectly, must apply the general principles of data protection as well as specific regulations. These include the legality of processing, processing in good faith, transparency, purpose limitation, data minimisation, the accuracy of data processing, storage limitation, integrity and confidentiality. 

Data protection throughout the customer journey

Data editing and processing undoubtedly help companies gain important insights about their customers. For example, the cookies (data packets) generated by web browsers and internet pages can be used to gather information about individual users. Despite incurring the wrath of privacy advocates for years, these text files are what make online shopping and even online banking possible in the first place. There are two sides to every coin. 

According to the European Court of Justice and the GDPR, cookies that ensure the basic functionality of a web application may only be activated if the user explicitly consents to them. However, companies also have a 'legitimate interest' in collecting and processing data for direct marketing purposes. This requires that a balance be struck in individual cases to determine whether the use of cookies to collect data complies with the principle of data minimisation. 

The opt-in procedure can also be used to make the process seamless for both sides. This means that cookies are not set at the start of an internet session but that the user has actively consented to the cookies. This assures website operators that their actions are GDPR-compliant and that they have received consent to the storage and processing of data. This creates a win-win situation for both sides: the user enjoys a seamless customer journey while the company can focus more closely on the user's product and service requirements and ideally increase its profit.


The Digital Customer Experience as a Success Factor