Data protection law in the UK has changed as a result of Brexit. You can find the latest guidance here.
At the heart of the GDPR (General Data Protection Regulation) is the concept of ‘personal data’.
But what constitutes personal data? Are names and email address classified as personal data? What about photographs and ID numbers?
And where does the related concept of ‘sensitive personal data’ fit in?
If you’re unsure of the difference between personal and sensitive data, keep reading. We explain everything you need to know and provide examples of personal and sensitive personal data.
What is personal data?
In the most basic terms, personal data is any piece of information that someone can use to identify, with some degree of accuracy, a living person.
For example, the email address firstname.lastname@example.org” is considered personal data, because it indicates there can only be one John Smith who works at Company X.
Likewise, your physical address or phone number is considered personal data because you can be contacted using that information.
Personal data is also classed as anything that can affirm your physical presence somewhere. For that reason, CCTV footage of you is personal data, as are fingerprints.
That sounds simple enough so far – but things are complicated when you factor in that each piece of information doesn’t have to be taken on its own.
Organisations typically collect and store multiple pieces of information on data subjects, and the amassed information can be considered personal data if it can be pieced together to identify a likely data subject.
Think of it like a massive game of Guess Who?
Under certain circumstances, any of the following can be considered personal data:
- A name and surname
- A home address
- An email address
- An identification card number
- Location data
- An Internet Protocol (IP) address
- The advertising identifier of your phone
You might think that someone’s name is always personal data, but as the ICO (Information Commissioner’s Office) explains, it’s not that simple:
“By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”
However, the ICO also notes that names aren’t necessarily required to identify someone:
“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”
What is sensitive personal data?
Sensitive personal data is a specific set of “special categories” that must be treated with extra security. This includes information pertaining to:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Data related to a person’s sex life or sexual orientation; and
- Biometric data (where processed to uniquely identify someone).
Sensitive personal data should be held separately from other personal data, preferably in a locked drawer or filing cabinet.
As with personal data generally, it should only be kept on laptops or portable devices if the file has been encrypted and/or pseudonymised.
A common misconception about the GDPR is that all organisations need to seek consent to process personal data.
In fact, consent is only one of six lawful grounds for processing personal data, and the strict rules regarding lawful consent requests make it the least preferable option.
However, there will be times when consent is the most suitable basis, and organisations need to be aware that they need explicit consent to process sensitive personal data.
Nuances like this are common throughout the GDPR, and any organisation that hasn’t taken the time to study its compliance requirements thoroughly is liable to be tripped up.
This could lead to lasting damage, such as enforcement action, regulatory fines, bad press and loss of customers.
Avoid a regulatory fine with GDPR training
Gain a comprehensive introduction to the GDPR and a practical understanding of the implications and legal requirements for organisations with our one-day GDPR Foundation training course.
The course will give you a clear understanding of the main elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
A version of this blog was originally published on 18 July 2018.