The General Data Protection Regulations attracted global attention last year for introducing sweeping changes in how organisations handle personal data. Organisations affected by GDPR must have a thorough understanding of what exactly the legislation means by ‘personal data’, and as this may affect how they adjust their business practices to achieve compliance.
Although an understanding of personal data is crucial for organisations, GDPR’s definition is deliberately vague. GDPR’s Article 4 states that personal data ‘means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
Organisations must proceed with caution, as this definition is so broad that it appears that nearly information could be classified as personal data. Some data could be counted as personal data depending on the context, such as processing requirements of the data controller or data processor.
Organisations should note that GDPR Recital 27 states “this Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.”
GDPR Article 4 also defines two particular types of data, genetic data and biometric data. Genetic data is “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question”.
Similarly, biometric data is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.
Examples of Personal Data Depending on Context
Let us imagine a company that is collecting the names of potential customers, one of whom is called John Smith. John Smith is a widespread name, so it would be difficult for a third party to identify this particular John Smith from only that information. However, if the company were to also collect a less common or unique name, for example, George Mercury, it is much more possible that this person could be identified by their name alone. John Smith may not be considered personal data in this case, whereas George Mercury certainly could be.
However, if the organisation were to collect more information on John Smith, such as where he lives and his marital status, it could be possible to identify him. Therefore, this information would be considered as personal data. The ability to identify the individual, directly or indirectly, is the critical determining factor.
It is important to note that online and digital identifiers, such as IP addresses or usernames, may be considered as personal data.
Organisations should audit all of the data that they hold on their customers to determine how much personal data they hold. They must identify what information they hold, for what purposes they use it, and if they obtained the correct consent. GDPR requires organisations to assess the information they hold to ensure that it is all compliant with its rules. If this audit is not complete, the organisation could accidentally violate GDPR, resulting in hefty penalties.