The EU General Data Protection Regulation (GDPR) will be enforced from next year, superseding the Data Protection Act (DPA). With the Regulation expanding the definition of personal data, many organisations have expressed their uncertainty as to what the new definition now includes.
The scope of personal data
Let’s start with the circumstances under which the processing of personal data must meet the GDPR’s requirements. This set of circumstances is now broader than under the DPA, with Article 2 of the GDPR stating that the Regulation applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”.
What constitutes personal data?
The GDPR’s definition of personal data is now also much broader than under the DPA. Article 4 states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. It adds that:
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Perhaps the biggest implication of this is that, under certain circumstances, personal data now includes online identifiers such as IP addresses and mobile device IDs. Similarly, the GDPR introduces the concept of ‘pseudonymous data’ – personal data that has been subjected to technological measures (for instance, hashing or encryption).
The qualifier of ‘certain circumstances’ is important to highlight here, because it’s often the context in which information exists that determines whether it can identify someone. The same issue applies to the DPA, and the ICO uses the example of a person’s name to explain this issue:
By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.
However, it also notes that names are not necessarily required to identify someone:
Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.
Generally, if you’re unsure whether the information you store is personal data or not, it’s best to err on the side of caution. This means not only making sure that data is secure, but also reducing the amount of data you store and ensuring that you don’t store any information for longer than necessary.
As well as the changes to the definition of personal data, the GDPR alters or introduces many requirements for processing data. This includes stronger consent requirements, giving data subjects ‘the right to be forgotten’ and requiring some organisations to appoint a data protection officer. More information about these, and the GDPR in general, is available on our website.
If you’re looking for a thorough understanding of the GDPR, you should attend one of our certified training courses:
Book the Certified GDPR Foundation and Practitioner Combination Course and save 15%.