Personal data is at the heart of the GDPR (General Data Protection Regulation). However, many organisations are still unsure exactly what ‘personal data’ is.
That’s a concern, because if organisations don’t meet their compliance requirements, they risk data breaches and disciplinary action.
Yet, we can understand why organisations continue to struggle with this aspect of the GDPR – particularly if they don’t have a dedicated data protection professional on their books.
The issue is that the Regulation doesn’t provide a definitive list of what is or isn’t personal data. It is up to organisations to correctly interpret the GDPR’s definition:
[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’)
In other words, personal data is defined as any information that is clearly about a particular person.
The GDPR further clarifies that information is considered personal data whenever an individual can be identified, directly or indirectly, “by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
That’s an awful lot of information. In certain circumstances, someone’s IP address, hair colour, job or political opinions could be considered personal data.
The qualifier ‘certain circumstances’ is worth highlighting, because whether information is considered personal data often comes down to the context in which it is collected.
Context is everything
Organisations usually collect many different types of information on people, and even if one piece of data doesn’t individuate someone, it could become relevant alongside other information.
For example, a data controller that requests information on people who download products from their website might ask them to state their occupation.
This doesn’t fall under the GDPR’s scope of personal data, because, in all likelihood, a job title isn’t unique to one person.
Similarly, an organisation might ask what company they work for, which, again, couldn’t be used to identify someone unless they were the only employee.
Get expert guidance on meeting your GDPR compliance requirements with IT Governance’s DPO as a service.
This service is ideal organisations looking for the data protection expertise and knowledge required to fulfil their DPO obligations.
One of our experts will act as your DPO, completing the necessary tasks for your organisation and providing you with guidance whenever you need it.
However, in many instances, these pieces of information could be used together to narrow down the number of natural, living persons to such an extent that you could reasonably establish someone’s identity.
In other words, if you refer to someone with a specific job title at a specific organisation, there may only be one person who fits that description.
Of course, that’s not always the case. Knowing that someone is a barista at Starbucks doesn’t narrow things down much, for example.
In these cases, those two pieces of information together wouldn’t be considered personal data. However, it’s highly unlikely that this information would be stored without a specific identifier, such as the person’s name or payroll number.
Names aren’t always considered personal data
You might think that someone’s name is as clear an example of personal data as it gets; it is literally what defines you as you. But it’s not always that simple, as the UK’s Information Commissioner’s Office explains:
“By itself the name John Smith may not always be personal data because there are many individuals with that name.
“However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”
However, the ICO also notes that names aren’t necessarily required to identify someone:
“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”
- GDPR: When do you need to seek consent?
- The GDPR: What is sensitive personal data?
- The GDPR: Legitimate interest – what is it and when does it apply?
A guide to what is (or could be) personal data
As we’ve explained, it can be hard to say whether certain information meets the GDPR’s definition of personal data.
However, Cloud services company Boxcryptor provides a list of things that could be considered personal data, either on their own or in combination with additional information:
- Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses.
- Looks, appearance and behaviour, including eye colour, weight and character traits.
- Workplace data and information about education, including salary, tax information and student numbers.
- Private and subjective data, including religion, political opinions and geo-tracking data.
- Health, sickness and genetics, including medical history, genetic data and information about sick leave.
How organisations should handle personal data
If you’re unsure whether the information you store is personal data or not, it’s best to err on the side of caution.
This means making sure that the processing of personal data is limited to what is necessary and keeping data for only as long as it meets its purpose.
You should also strongly consider pseudonymising and/or encrypting information – particularly if it is a special category of personal data.
Pseudonymisation masks data by replacing identifying information with artificial identifiers.
Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.
Encryption also obscures information by replacing identifiers with something else. But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.
Pseudonymisation and encryption can be used simultaneously or separately.
Ask a DPO if you’re unsure
Those looking for ongoing advice on how to manage the personal data they collect should consult a DPO (data protection officer).
A DPO is an independent expert hired to guide organisations on their GDPR compliance requirements. They are responsible for many tasks, including:
- Informing and advising the organisation and its employees of their obligations;
- Monitoring the organisation’s data protection policies and procedures;
- Recommending to management when DPIAs (data protection impact assessments) are necessary; and
- Acting as a point of contact between the organisation and its supervisory authority.
The GDPR states that certain organisations must appoint a DPO – but even if you don’t fill those criteria, it can be hugely beneficial to appoint one anyway.
Become a GDPR expert
You can learn more about your organisation’s data protection requirements by taking our Certified GDPR Foundation Self-Paced Online Training Course
This one-day course is delivered by an experienced data protection expert, and provides a comprehensive introduction to the Regulation and its rules.
It is ideal for managers who want to understand how the Regulation affects their organisation and employees who are responsible for GDPR compliance, and is available in a variety of forms, including online and self-paced.
A version of this blog was originally published on 17 February 2018.
In a private tennis club with an online court booking system available ONLY to members, would it transgress GDPR to show the names (and no other information) of those booked to play at a given time? After all, you would only have to be there at the given time to see who is on court and with whom.