GDPR personal data – what information does this cover?
What is meant by GDPR personal data and how it relates to businesses and individuals.
Almost all of our interactions with organizations involve an exchange of personal data. Examples include name, phone number, and address.
One of these pieces of data may not be enough to identify an individual. However, when collected together, they can identify a particular person and therefore constitute personal data. This is why it is often referred to as personally identifiable information or PII.
Data ceases to be personal when it is made anonymous, and an individual is no longer identifiable. But for data to be truly anonymized, the anonymization must be irreversible.
Data that has been encrypted de-identified or pseudonymized but can be used to re-identify a person is still personal data.
The GDPR exists to protect our personal data on all levels. It is protected on all platforms, regardless of the technology used, and it applies to both manual and automated processing. Personal data laws also apply regardless of how the data is stored, be it an IT system, paper, or video surveillance.
Table of Contents
The GDPR was launched in 2016, intending to provide one set of privacy laws for the European Union.
The GDPR provides guidelines for organizations and businesses regarding how they handle information that relates to the individuals with whom they interact. It has made it easier for the citizens of the European Union to understand their rights when it comes to their personal information, and it should be used.
This is important because technology is changing faster than ever, and personal data is evolving with it. The smartphone has become central to the modern world, and almost half of the world’s population has social media accounts.
This has drastically changed the nature of the personal information that we share. It now includes biometric data, like fingerprint identification and retina scans, and location data from IP addresses and Google Maps. For this reason, our personal information is more vulnerable than ever.
Personal data is central to the ethos of the General Data Protection Regulation (GDPR). However, some people are still unsure of what ‘personal data’ specifically refers to.
The basic definition of personal data is any information relating to an identified or identifiable natural person (data subject).
In other words, any information that obviously relates to a particular person and can be used to identify them.
The GDPR states that data is classified as “personal data” an individual can be identified directly or indirectly, using online identifiers such as their name, an identification number, IP addresses, or their location data.
And if these online identifiers give information specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
In some circumstances, even information related to a person’s job, hair color, or political opinions could be classed as personal data. Usually, this comes down to the context in which the data was collected and whether a data subject could be directly or indirectly identifiable.
The definition of personal data is any information relating to an “identified or identifiable natural person.” When most people think of personal data, they think of phone numbers and addresses; however, personal data covers a range of identifiers.
Personal data relating to GDPR does not cover:
A person can be identified if they are distinguishable from another individual. The GDPR asks companies to consider:
All organizations should err on the side of caution when it comes to processing personal data.
The GDPR suggests that they should ensure that the processing of any personal information is limited to what is necessary.
Organizations should only keep this data for as long as it meets its purpose. They should also try to pseudonymize and/or encrypt this information – especially if it is classed as sensitive data.
Pseudonymization is when data is masked by replacing any identified or identifiable information with artificial identifiers.
Although it can be a great way to protect the security and privacy of personal data – pseudonymization is limited. Even though pseudonymous data will not identify a person directly, they can be indirectly identified relatively easily.
Some examples of this type of personal data include
Encryption works in a similar way to pseudonymization. It obscures personal information by replacing unique identifiers with other data.
But unlike pseudonymization, which allows any person who has legal access to the data to view part of the data set, encryption only allows approved users to view the complete data set.
The GDPR states that encryption and pseudonymization can be used together or separately, and many organizations choose to use both methods to protect their data subjects.
It is normal for organizations to collect a number of different types of personal data. It is important for them to consider that even if one piece of information doesn’t identify an individual, it could become relevant when combined with other information.
For example, the data controller at an organization might ask their customers what their occupation is, and with this information alone, it would not be possible to identify them. Therefore, this information alone does not fall under the scope of personal data according to the GDPR because a job title is not usually specific to one individual person.
However, if the data controller also asks them what company they work for, these pieces of information combined could narrow down the number of natural, living persons at a company with a particular occupation and possibly identify a person. In other words, if you refer to an individual who has a specific job title at a certain company, there may be one person who fits that description.
Of course, this is not always the case, for example, if you know that a person is a barista at Starbucks, it’s unlikely that you would be able to identify them, and therefore, these two pieces of information together wouldn’t be considered personal data according to the GDPR.
Although the terms “personal data” and “sensitive data” are often used to describe the same thing, the GDPR makes a clear distinction between these two terms.
According to the regulation, sensitive data is a set of special categories that should be handled with extra security. These special categories are:
There are some extra rules when it comes to processing sensitive personal data. You are required to document a lawful reason for processing this information under Article 6 of the GDPR.
According to Article 6, organizations must have:
There is a common assumption that according to the GDPR, all organizations must obtain consent in order to process personal data, but this is not the case.
Consent is just one of the options that companies have, as this article has shown, and in fact, it is not always the best option. Individuals can withdraw content at any time, and as a result, complications can arise.
When organizations don’t take the time to study the GDPR compliance requirements, they can be tripped up, and this has the potential to cause lasting damage, from regulatory fines and enforcement action to loss of customers and negative press.
The GDPR sets out very strict guidelines with regard to personal data and how it is used.
If any information relating to another person is accidentally or unlawfully lost, altered, disclosed, destroyed, or accessed, this is classed as a Data Breach.
Personal data is a key aspect of online identity, but unfortunately, it can be exploited. Some individuals might alter personal data to hijack mailboxes, create fake documents, and use people’s contact information to harass them.
They might even commit Financial Identity Theft, which usually involves credit card and bank account details being stolen to be used or sold. In other cases, personal data that has been breached is used to create false online identities, such as fake social media profiles.
This is commonly referred to as Identity fraud or Identity Cloning.
Once an individual has access to certain personal data such as your name, date of birth, ID documents or Social Insurance Number, and passwords, they can use them to log in to different websites in order to access even more information that they can use to their advantage.
Personal data breaches are not always a result of cybercriminals hacking into a company system.
In fact, many of these incidents occur when an employee accidentally makes personal information public.
This could be through an email that was sent to the wrong person, a technical error on the company’s webpage, or losing a laptop or another personal device that contains personal data.