GDPR – What is personal data?

GDPR – What is personal data?

Although it may seem obvious in many cases what constitutes ‘personal data’ it is also true to say that often it may not be so clear cut.

GDPR gives a rather wordy definition of what makes up personal data as follows;

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Although when reading for the first time that may seem as clear as mud there are in fact some very important specifics in there.

The first point to note is that the GDPR relates to a ‘natural person’.

In other words, the regulations cover people rather than business entities. Be aware though that some people may trade as sole traders and so you’ll need to check your business based records too. The person to which the data relates is called the ‘data subject’ under the terms of the regulation.

The second point to note is that the article uses the term ‘any information’ and this is crucial. It isn’t simply a case that you only need to deal with traditional information such as names, addresses and bank details for instance. You’ll also need to think in terms of electronic data such as cookies, biometric data, even health-related records such as DNA or test results.

The key though that links these two elements is the phrase ‘identified or identifiable’. In short, it is the ability to relate data to a person that is the important point. It is also vital to bear in mind that people can be identified either directly or indirectly given enough information.

As an example, imagine credit card details being stored with no name information but the number of the house and postcode that relate to the holder. This is a common combination and although the subject cannot be identified directly from the data they are identifiable from the combination of information found in the record.

Consequently, the controller of data needs to be mindful of the possible use of that data and the combination possibilities that arise.

Once the business has thought about what types of information comprise personal data they need to go about identifying places that the data may exist.

In most cases there will be more traditional forms of holding methods such as address books, sales records, customer listings etc. that may hold information that by design allows the data subject to be identified.

These should be fairly easy to spot on the face of it but the company will also need to ensure that it captures all areas where this could exist. As an example the company may hold formal customer records that include details of purchases by individuals but the business may also have sales personnel that keep their own diaries or sales records that may be informal or unauthorised but that still form part of the GDPR environment.

Most companies nowadays hold information in electronic form, either in their accounting records, on spreadsheets or both. In some cases the data may be held locally on a desktop, laptop or server or the business might use online software such as SaaS CRM, accounting or spreadsheets to store information.

Some of the information may be produced manually but it is also true to say that there are a great many instances where reports are produced by systems automatically and delivered to the recipient without any human intervention.

In all these cases managers will have to identify the sources of the information and then apply the principles of GDPR to the use of this data to decide how to deal with it in future.

Data though is not confined to areas where we can normally see it. Businesses must also consider information that relates to individual data subjects that are collected, created and processed using automated means.

A good example would be tracking data that results from the use of a website. This data identifies the individual and is then used to analyse their habits and internet usage and often to serve up more or less targeted advertising.

Tracking information is all around us in modern life and its effects can be experienced in the devices we use such as phones and tablets, on websites we visit through cookies and trackers and even white goods and entertainment (TVs, consoles, Audio Visual equipment) through the internet of things.

Understanding what constitutes personal data, who is a data subject and where information could be stored are key parts of the compliance procedure for businesses under the new GDPR regime. Companies wanting to ensure compliance will need to analyse what they collect, process and store as the first step in their GDPR project.


No comments posted on this content.