Under GDPR, which of the following qualifies as Personally Identifiable Information (PII)? (Select all that apply)

Email addresses Additionally, Social Security Numbers Additionally, Physical addresses

What is the correct order for processing a document containing PII before external sharing?

Download, open in Document Viewer, redact all PII, verify redactions, then share

Why is redaction necessary before sharing documents with external parties?

GDPR requires personal data to be protected, and sharing without legal basis or proper anonymization is a violation

PII Document Redaction

Learn to distinguish between blackout redaction for highly sensitive data and anonymization for less critical information. Master the verification process to ensure no sensitive data escapes before document release. Understand why improper redaction can lead to GDPR violations and significant fines.

What You'll Learn

Recognize common cybersecurity threats
Respond appropriately to security incidents
Protect sensitive information
Follow security best practices
Report suspicious activities

Training Steps

Introduction

Alice works as a Compliance Analyst at DataSecure Consulting, a firm that helps organizations meet their data protection obligations. Her role involves preparing documents for external sharing while ensuring sensitive personal data is properly protected. Today, she needs to prepare a customer report for an external auditor - but the document contains PII that must be redacted first.
The Audit Request

Alice receives an email from the compliance team lead. An external auditor has requested documentation related to a recent customer engagement, and the report needs to be shared by end of day. The email includes the customer report as an attachment that Alice needs to download and process.
Downloading the Report

Alice needs to download the attached customer report to process it. The file will appear in her Downloads folder, ready to be opened in the Document Viewer application. Michael emphasizes that PII must be redacted before external sharing - this is a core GDPR requirement.
Opening the Document

The report is now in Alice's Downloads folder. She needs to open it using the Document Viewer - a specialized tool for viewing and redacting sensitive documents. The Document Viewer is designed for GDPR-compliant document handling - it tracks all redactions for audit purposes and prevents accidental disclosure of PII.
Identifying Sensitive Data

The Document Viewer opens with the customer report displayed. Alice can see several highlighted regions that contain personal data requiring redaction. The document contains these PII types: Social Security Number, email address, phone number, physical address, and partial bank account information.
Redacting the Social Security Number

The first piece of sensitive data is Sarah Chen's Social Security Number. This is highly sensitive PII that should never be shared with third parties unless absolutely necessary and legally justified. Alice needs to click on the SSN region to apply a blackout redaction - completely hiding the data. The auditors have no legitimate need to see this information.
Redacting the Email Address

Next, Alice addresses Sarah Chen's email address. While less sensitive than an SSN, email addresses are still personal data under GDPR and can be used to contact or identify individuals. Alice clicks on the email region to redact it. The auditors need to see that contact methods were documented, but not the actual email.
Redacting the Phone Number

Sarah's phone number appears in the contact details section. Like email addresses, phone numbers are personal data that can be used to identify and contact individuals directly. Alice clicks on the phone number region to redact it.
Redacting the Physical Address

The document includes Sarah's home address for billing purposes. Physical addresses are significant PII - they reveal where a person lives and could be used for unwanted contact or worse. Alice clicks on the address region to redact this sensitive location information.
Redacting Financial Data

Finally, Alice addresses the partial bank account number in the payment details section. Even though only the last four digits are shown, this is still considered financial PII when combined with other information in the document. Financial data always requires careful protection - Alice clicks on the bank account region to complete the redaction process.

Knowledge Check Questions

This training includes a 6-question quiz to test your understanding of Security Awareness threats and defenses.

Under GDPR, which of the following qualifies as Personally Identifiable Information (PII)? (Select all that apply)
What is the correct order for processing a document containing PII before external sharing?
Why is redaction necessary before sharing documents with external parties?
What are the potential consequences of sharing unredacted PII externally without proper legal basis?
Which types of data in the exercise required redaction? (Select all that apply)