What is personal data under GDPR?
The new General Data Protection Regulation (GDPR) comes in action on May 25th 2018.
In today's digital world, we share personal data in most transactions – from online banking to social media – so GDPR has been introduced to protect this data. Personal data is a very generic term, so what counts as personal data? And how will it change under the new guidance?
Out with the old.
Under the current UK Data Protection Act, personal data is defined as: 'any information relating to a living, identified or identifiable natural person.' This is pretty broad and basically includes all data that could identify someone – eg. a person's name, user ID or address – as well as information about someone's medical, mental, social or economic identity.
In with the new.
One of the main reasons for introducing GDPR is to clearly define what counts as personal data and write it into law. GDPR follows the same general definition of personal data – all name and location data – but includes new types of digital data called online identifiers. This includes IP addresses, cookie strings and mobile device IDs.
GDPR has a sub-category of personal data called 'sensitive data' which adds another layer of protection. Sensitive data includes:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade-union membership
- Health or sex life
Under GDPR, sensitive data is highly protected and organisations need permission from the individual to process it. 2 other types of data have been added to this list: genetic data and biometric data. Genetic data covers gene sequences which are used and stored for research purposes. Biometric data includes fingerprints, retinal scans and face recognition which are now commonly used for entry systems and mobile phones.
Many organisations already encrypt personal data so that it can't be used to identify a person without being decrypted. You'd think that this data is no longer considered personal, but under GDPR, it is. No matter how securely data is stored, computer systems can be hacked and decrypted, so encrypted data is still considered personal data.
However, GDPR wants to encourage organisations to use pseudonyms, so if data is suitably pseudoymised and the data subject can’t be identified at all, the rules don’t apply. This is a bit confusing but means companies have a bit of wiggle room if they code data appropriately.
Although personal data has the same definition for everyone under GDPR, organisations have to follow slightly different rules depending on whether they're data controllers or data processors.
The data controller owns the data and controls how and why any personal data is processed.
The data processor processes data on behalf of the data controller.
If they don't comply, companies can face huge fines of up to €20 million or 4% of annual turnover – whichever is greater.
Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR.