After our recent discussion on personal data under the EU General Data Protection Regulation (GPDR), many people seemed surprised by the extent to which someone’s physical appearance is considered personal data.
The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’)”. In other words, any information that is clearly about a particular person.
There’s no definitive list of what is or isn’t personal data, but Cloud services provider Boxcryptor provides a detailed list of examples, including the following physical and physiological features:
- Hair colour
- Eye colour
- A person’s gait
- Defining characteristics
Because none of these features is unique (unless you’re one of these two people), a single piece of physical data typically won’t meet the GDPR’s definition of personal data. You can’t identify someone simply by knowing they have brown hair or walk with a limp. However, when personal data is used alongside other information (physical or otherwise), you might be able to narrow down your search to identify who the information belongs to, or at least probably belongs to. This will invariably rely on the context, rather than the volume, of data collection.
Gain an overview of the key areas of change introduced by the Regulation and the critical areas organisations need to be aware of when preparing for compliance.
For example, an overly descriptive journalist might describe an interviewee as a tall, thin woman in her thirties with dark hair, blue eyes, glasses and a nose ring. Despite the detail involved, this could refer to any number of people, and wouldn’t be considered personal data. It’s only once more specific information is added, such as a name or place of employment, that the data subject becomes identifiable.
By contrast, a journalist’s description of a one-legged man with a green mohawk uses fewer details, but if you saw such a person, you could reasonably conclude that he was the person described.
The volume of data you process will depend on your reason for collecting it. The GDPR aims to reduce the amount of personal data that organisations collect, so you should only process as much information as necessary to complete the relevant task. If you can’t find another lawful basis for processing, you will need to rely on consent, which can be tricky.
You also need to consider that physical details can change. A person can dye their hair, replace their glasses with contact lenses or develop temporary or permanent characteristics (such as getting a prominent tattoo or requiring a wheelchair or crutches). When this happens, organisations need to amend their records in line with the GDPR’s requirement that personal data must be kept “accurate and, where possible, up to date”.
More advice on complying with the GDPR
To find out more about complying with the Regulation, take a look at EU GDPR – A Pocket Guide. Written by Alan Calder, IT Governance’s founder and executive chairman, this book will give you a clear understanding of the GDPR, explaining:
- The terms and definitions used in the Regulation;
- The key compliance requirements; and
- How to comply with the GDPR.