GDPR DATA PROTECTION ESSENTIALS – CONFUSED ABOUT PERSONAL DATA?
DEFINING PERSONAL DATA
We know that data protection relates to processing personal data so understanding what exactly personal data looks like forms the core of your data protection legal obligations. Sometimes establishing whether data is personal is not quite as straightforward as it first appears.
We know from the Data Protection Act 1998 that personal data is any data (whether by itself or when combined with any other data that you possess or are likely to possess) which means a living individual is identifiable.
Personal data also includes any opinions or intentions relating to an individual, for example, notes of a recruitment meeting considering whether a candidate is suitable for a job.
Primarily, to fit in with the way that we can now collect, access and use data online, GDPR does not change this definition, GDPR takes the definition a little wider. This means that personal data under GDPR is “any information relating to an identified or identifiable natural person”.
Therefore, if the data held can identify an individual, whether it’s directly or indirectly (such as “an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”) then it’s personal data.
So, for example, personal data under GDPR will include an IP address and could include data that has been pseudonymised if it is relatively easy to attribute the pseudonym to an individual.
This requires further explanation and some examples, as offered below. It also means you need to look a lot closer at the data you are using and ask more questions about it.
DECIDING WHAT IS PERSONAL DATA
The starting point is whether it would be possible to identify an individual from data. Whilst in many cases, determining whether data is personal will be obvious, bear in mind that you also need to consider whether the data is linked to an individual.
The test means that you have to consider the means used by what the ICO (Information Commissioner’s Office) refer to as a “determined person with a particular reason to want to identify individuals” such as an investigative journalist, an ex-partner, or a stalker.
GDPR confirms that when determining “whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used” considering all “objective factors”, such as costs, time and available technology. That is unhelpful, in our view, without providing examples and making it clear, in practice what it means.
IDENTIFYING PERSONAL DATA
Let’s look at some examples:
I only have in my data a name which could belong to many thousands of people
In theory, you could argue that if the only data you hold is a name which is commonly held (e.g. John Smith) that may not identify an individual, but don’t forget the definition of personal data means that you also need to consider what other data you possess or are likely to possess.
I don’t even have their name
Likewise, just because you don’t have someone’s name does not mean that you could not identify them. For example, a combination of someone’s age, gender and salary could help you identify an employee of a company – an individual.
I only have business data
Data is personal data if the data identifies a living individual either “in personal or family life, business or profession”. This presents a concern for business who may believe that they do not hold any personal data in a business email address.
For example, in suppliers or marketing data you will hold a name and a work email which clearly identifies an individual
Name: Sue Edwards
Remember, the fact that it is a business email address is irrelevant. I can still identify Sue and the “investigative journalist” would not need any more information.
Even if you just have an email address that may also identify an individual. For example, you only have the business email email@example.com Even this identifies the individual. Same with firstname.lastname@example.org
Even a shared email address can identify an individual. For example, email@example.com means you can start to identify who they are if you are processing any other information such as the job title Chief Engineer.
Deciding what personal data is is never quite as straightforward as it should be. Part of your obligations means that you should have
- a process to identify whether data is personal and
- regular reviews of that data because the data we process changes regularly. For example, a sales person will (and should) regularly update the records about your clients/customers.
For more help talk to us on Live Chat or email to GDPR@lawhound.co.uk