Personal data is at the heart of the EU General Data Protection Regulation (GDPR), but many people are still unsure exactly what ‘personal data’ refers to. There’s no definitive list of what is or isn’t personal data, so it all comes down to properly interpreting the GDPR’s definition:
“‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’).”
In other words, any information that is clearly about a particular person. But just how broadly does this apply? The GDPR clarifies:
“[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
That’s an awful lot of information. In certain circumstances, someone’s IP address, hair colour, job or political opinions could be considered personal data.
The qualifier ‘certain circumstances’ is worth highlighting, because whether information is considered personal data often comes down to the context in which data is collected. Organisations usually collect many different types of information on people, and even if one piece of data doesn’t individuate someone, it could become relevant alongside other data.
For example, an organisation that collects information on people who download products from their website might ask them to state their occupation. This doesn’t fall under the GDPR’s scope of personal data, as, in all likelihood, many people have that occupation. Similarly, an organisation might ask what company they work for, which, again, couldn’t be used to identify someone (unless they were the only employee).
However, when collected together, these pieces of information could be used to narrow down the number of people to such an extent that in many instances you could reasonably establish someone’s identity.
Of course, that’s not always the case. For example, knowing that someone is a barista at Starbucks doesn’t narrow things down much. In that instance, the data would need to be combined with more information, such as the person’s name.
You might think that someone’s name is always personal data, but it’s not that simple, as the UK’s Information Commissioner’s Office explains:
“By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”
However, it also notes that names aren’t necessarily required to identify someone:
“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”
A brief guide to what is (or could be) personal data
As we’ve explained, it can be hard to say whether certain information meets the GDPR’s definition of personal data. However, Cloud services company Boxcryptor provides a list of things that could be considered personal data, either on their own or in combination with other data:
- Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses.
- Looks, appearance and behaviour, including eye colour, weight and character traits.
- Workplace data and information about education, including salary, tax information and student numbers.
- Private and subjective data, including religion, political opinions and geo-tracking data.
- Health, sickness and genetics, including medical history, genetic data and information about sick leave.
How organisations should handle personal data
If you’re unsure whether the information you store is personal data or not, it’s best to err on the side of caution. This means making sure data is secure, reducing the amount of data you store, collecting only as much data as necessary to complete your processing activities and keeping data for only as long as it meets its purpose.
The personal data that you collect should be pseudonymised and/or encrypted. Pseudonymisation masks data by replacing identifying information with artificial identifiers. Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.
Encryption also obscures information by replacing identifiers with something else. But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.
Pseudonymisation and encryption can be used simultaneously or separately.
With only a few months until the GDPR takes effect, it’s important that you take steps now to secure the personal data that you hold. Organisations that fail to do this will face severe disciplinary action from data protection authorities.
Properly handling personal data is only one thing organisations need to do to comply with the GPDR. Those who want advice on how else to comply with the GDPR should download our free green paper: EU General Data Protection Regulation – A Compliance Guide.
This guide provides an overview of the key changes introduced by the GDPR, the scope and impact of the Regulation and the areas that organisations need to focus on.