Expert GDPR QA: The material scope of personal data and legal implications

Every month, IT Governance gives a free EU General Data Protection Regulation (GDPR) webinar on a topic such as the first steps organisations should take to manage GDPR compliance, the accountability principle and what it means for boards and senior management under the GDPR, the role of data protection officer (DPO), data flow mapping, and data protection policies and procedures.

At the end of each webinar session, our GDPR expert/webinar presenter answers the questions attendees have asked during the webinar. This blog gathers together our experts’ answers to questions related to the material scope of personal data and the legal implications of the GDPR.

Does PII include data of customers as well as employees of a company?

The GDPR applies to all personal data that is collected in the EU, regardless of where in the world it is processed. Any database containing personal or sensitive data collected within the EU will be in scope, as will any media containing personal or sensitive data. Any organisation that has such data in its systems, regardless of business size or sector, will have to comply with the GDPR.

Personal data is anything that can identify a ‘natural person’ and can include information such as a name, a photo, an email address (including work email address), bank details, posts on social networking websites, medical information or even an IP address.

Is it anticipated that the DPA (1998) will be rewritten? 

Extremely unlikely – the UK government has confirmed that the GDPR will apply even after leaving the EU, and, as the legislation is in the form of regulation, it has direct effect and there is no need for the UK to implement further legislation to give effect to its provisions. The DPA, which was enacted to meet the requirements of the EU Data Protection Directive, is therefore superseded by the GDPR.

In Germany, an employee’s work email and telephone numbers are considered PII, but I don’t believe that is the case here in the UK. From 25 May 2018, how are global companies with staff in Germany as well as the UK going to proceed to best ensure they abide by the new law? Should they apply the more stringent approach?

The point of the GDPR is to standardise data protection regimes across the EU. The variation between regimes within the EU that existed prior to the GDPR was due to the fact that data protection legislation took the form of a directive, which gives Member States the flexibility to implement their own laws to give effect to the provisions of the Directive.

The GDPR eliminates this situation because it is an EU regulation. EU regulations have direct effect in all EU Member States, so the definition of ‘personal data’ is consistent across all Member States. The GDPR also creates a ‘consistency mechanism’ to ensure consistent definitions and approaches across member states and thus levels the playing field for data controllers and processors, as well as for data subjects. We will have to wait and see what actually happens.
The GDPR does authorise Member States to vary the special categories of data (aka sensitive data). In this case, global companies may need to process sensitive data in accordance with the law of the Member State where the data subject resides. Keep alert to the changing data protection environment!

The ICO has implied that the focus of the GDPR is more on B2C rather than B2B or business-to-employee engagements. Is this so?

Any processing of personal data within territorial scope is within the remit of the GDPR. In that respect, organisations operating B2B, B2C or business-to-employee models will all have the same obligations to fulfil under the legislation. However, the GDPR also recognises that the processing of certain data is necessary for some organisations to perform their functions – such as processing employee payment details for payroll purposes or sharing an address with a credit agency on an individual who has gone into arrears. For cases such as these, the GDPR specifies the lawful grounds on which organisations can process personal or sensitive data. You will need to consult your legal advisers for specific guidance to match your circumstances.

Is there an industry standard definition of personally identifiable information (PII)?

‘PII’ is originally a US term, defined in NIST SP 800-122 as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information” (Article 4).”

This definition of PII and its use in the USA does not precisely match the GDPR definition of ‘personal data’, which is the preferred term. Personal data is defined as “any information relating to an identified or identifiable natural person”, whether it relates to his or her private, professional or public life. As a general rule, any information that can be used to identify an individual – either on its own or when combined with another piece of information – is classified as personal data. This can include biometric, genetic and location data. IP addresses and email addresses also fall within this definition.

What is an online personal identifier? 

Personal identifiers (PIDs) are a subset of personal data. They identify a unique individual and can permit another person to assume that individual’s identity without their knowledge or consent. This can occur when PID data elements are used either alone, combined with a person’s name, combined with other PID data elements, or combined with other personal data. Personal identifiers include, for instance, account numbers, PINs, passwords, voice scans and credit card numbers.

Do utility bills, driving licenses and passport details qualify as sensitive personal data?

No. Under the GDPR, sensitive data is any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation are also categories of sensitive data.

We are a construction company looking at capturing time and attendance data of our subcontractors using biometrics. We would also hold details of the operatives’ addresses to calculate travel distances. Does the GDPR apply?

Yes. If you collect biometrics, then you are processing sensitive data and are bound by the strict requirements of the GDPR for doing so, including obtaining the data subject’s explicit consent.

How does the GDPR apply to health data?

Health information is treated as sensitive data under the GDPR, as it was under the DPD. As under the Directive, organisations processing health data must have a lawful ground to do so, which is most likely to be the explicit consent of the data subject.

Health data controllers/processors typically choose to rely on consent. They can, however collect and use health data without consent if the processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or treatment, management of health or social care systems and services, or under a contract with a health professional or another person subject to professional secrecy under law. Additionally, consent is not required if the processing is necessary for public health reasons, or if the organisation can argue that the processing is necessary for scientific research. If you think any of these grounds might apply to your organisation, ensure you discuss with your legal advisers how you will approach the consent issue.

Does the GDPR mean that equal opportunities forms cannot be collected?

No. Equal opportunities forms should, in any case, be optional. Under the GDPR, sensitive data can be processed if the data subject has consented to it. However, you must ensure that the consent you obtain for collecting equal opportunities forms is explicit, informed, specific and freely given. If you think that you have a contractual, statutory or other basis for collecting this information without explicit consent, you should discuss with your legal advisers how you will address the issue.

What kind of regulations apply to universities? How does the GDPR affect schools? Do they have to comply as well?

The GDPR applies irrespective of sector or activity. As long as personal data is being processed, and the processor/controller is established in the EEA or the processing affects EEA data subjects, the GDPR applies. Universities and schools are no more exempt than any other institution. In addition, schools may have to deal with the issue of obtaining parental consent for processing  the personal data of children.

Is compliance required if the data is not resident on a company’s systems (e.g. remote access to live data is granted to a support organisation, but that organisation does not store it)?

If the remote person would be able to identify a natural person, write down what they read, photograph it or share it with someone, then it’s within the scope of the GDPR.

If personal data is encrypted throughout its lifecycle using strong/approved algorithms, is it out of scope for GDPR compliance?

Encryption can take personal data out of scope of the GDPR. Article 32(1)(a) sanctions it as an appropriate security technique. However, there is still uncertainty around this point, particularly regarding how strict the ECJ will be in its interpretation of anonymisation. It is possible that some encryption techniques may not be sufficient to put the personal data out of scope of the GDPR. Controllers should review their encrypted data and assess the reasonable likelihood of that data being decrypted, taking into account future technologies.

Is there a difference between how the GDPR applies to business-to-business engagements and business-to-consumer engagements?  For example, would the GDPR apply on the same level if I were to approach an individual within a company based on publicly available information as to when I seek to maintain personal data on a CRM system?

While you do not have to obtain consent to process personal information that someone has deliberately made public, you will be required to inform the data subject of your intentions to process their data and provide them with an opt-out route. Article 14 sets out the requirements of how this sort of information has to be handled.

Does the GDPR apply to hobby organisations (e.g. hobby groups with membership)?

The scope of the GDPR excludes data processed by natural persons for purely personal reasons. It’s not yet clear the extent to which this applies to hobby organisations. It will most likely depend on the scale of the organisation, what data is being collected, and whether or not the organisation has grown beyond what can be classed as personal activity.

How does the GDPR affect mobile phones and email data held on them while travelling?

Personal data is personal data, wherever it’s held. If a mobile device that contains personal data and is breached while travelling, it is as much a data breach under the GDPR as one affecting  a database within the EU.

An individual can be hidden behind an external IP of a company’s firewall; is that IP then relevant?

If the IP address can, on its own or with other information, be used to identify a natural person, then yes, it is relevant.

 

Leave a Reply

Your email address will not be published. Required fields are marked *