The General Data Protection Regulation (GDPR) is a new legislation that will dictate how personal data collected in the European Union (EU) is to be treated. However, before employees can start incorporating GDPR into their daily workflow they must first understand when GDPR applies. Regrettably, even after a two-year grace period, when GDPR came into effect on the 25thMay this year it was estimated that less than 10% of businesses were ready to deal with the changes it imposed.
In GDPR’s Article 4, Definitions, the description given to personal data is “very broad and intentionally vague”. Therefore, organizations need to be careful when collecting or processing any data. Information that may be considered as personal data relates to an identified or identifiable natural person, referred to as ‘data subject’. An identifiable natural person is someone who is directly or indirectly identified by referencing to an identifier. Sample identifiers are listed as followed:
- Names (first, middle, surname, maiden, aliases etc.)
- Date of birth
- Contact details (telephone numbers, email addresses, home addresses)
- Government-issued ID numbers
- Audio and/or visual recordings
- Bank details
- Location data
- Opinions and political leanings
- Genetic information
In addition to these identifiers, GDPR stipulates that there are “special categories” of personal data. These are more sensitive pieces of information that can leave individuals at greater risk if they are accessed. Such data includes the following:
- Race or ethnicity
- Trade union membership
- Membership of political organisations
- Religion or philosophy
- Biometric data (e.g. fingerprints, genetic makeup, retinal prints)
- Health data
- Gender and sexuality
The GDPR does not apply to the personal data of a person who is already dead, though member states can create rules that apply to the processing of personal data of dead persons. In view of this, GDPR defines personal data as data used to identify any living person. This definition is extremely general. Examining the different contexts and angles of personal data may then be needed.
For example, a company is collecting the names of potential clients. John Smith is a very common name that may be collected and it’s highly possible to make a mistake in identifying the exact John Smith initially referenced. But if a name like Filip Phry is collected, it is very likely that the correct person could be identified just by his name because it is quite a unique name. In this case, John Smith may not be considered as personal data while Filip Phry is definitely regarded as personal data. Obviously this is context-dependent – in France or Spain, for example, John Smith will not be so common.
Pushing this illustration further, for example, the company collects more data about John Smith including his city of residence, marital status or favourite shoe brand. These additional information can be used to identify John Smith. Hence John Smith’s name in combination with the other information are considered as personal data. The key to defining information as personal data is if it can identify the person directly or indirectly. Considering this input, online and digital identifiers like usernames and IP addresses can be considered as personal data.
Usually, anonymous data does not fall within the remit of data protection initiatives and legislation. For example, if an individual collected data on the heights of students in a lecture hall, but did not collect any other pieces of information, it would not need to be protected in the same way as an idenitifier.
With this in mind, organizations need to audit their data and identify which are considered personal data and which are not. Then, they need to get consent from the data subject to continue processing personal data. If the organization doesn’t do the last step but continue to process the collected data, it is in violation of the GDPR and it could face harsh penalties and sanctions.