Simply put, personal data is information that relates to an individual. In an age where personal data has become a valuable commodity, and the data security of individuals is under constant threat from cyber attackers and others, tighter regulation of organisations that process personal data has become essential.
In the UK organisations are subject to the General Data Protection Regulation (GDPR). This legislation gives our regulator – the Information Commissioner’s Office (ICO) – extensive powers to investigate and sanction companies that do not comply with the laws on data protection. ICO fines can be significant and GDPR breaches can cause irreparable reputational damage to an organisation. As a result it has become necessary for all businesses that process personal data to implement GDPR compliant procedures and ensure that staff receive adequate training on data protection principles. In this article we introduce some of the key issues around data protection and GDPR.
- What is personal data?
- What is not considered personal data?
- Who’s involved in managing personal data?
- Who is the data subject?
- What are personal data identifiers?
- What are related factors?
- What is special category personal data?
- Is anonymised data still protected under GDPR?
- Is information about companies included as personal data?
- What factors do you need to consider when processing personal data?
What is personal data?
Remember that GDPR only applies to personal data – not all the information you hold will be caught by the rules. But information that directly identifies an individual (a person’s name for example) or is capable of indirectly identifying them when taken alongside other information about them (like a National Insurance number) is personal data that you must process in a secure, GDPR compliant manner. In practice this means only processing the data if you have a lawful basis for doing so such as obtaining the consent of the individual and you comply with rules about storage of data and data retention.
What is not considered personal data?
This is essentially any data that cannot be used on its own to identify a living individual.
Businesses and public authorities are entities so don’t apply to individuals unless of course the name of the entity can identify a living individual, such as firstname.lastname@example.org, if of course, Louis Vuitton was a living identifiable person.
Who’s involved in managing personal data?
There are two key people involved in the collection and processing of data:
- Data Controller: This is the person who has ultimate control of the data and how it is processed.
- Data Processer: The person who processes the data on behalf of the data controller.
It’s possible for there to be more than one person in each role, and it’s also possible for one person to have both roles. Many organisations will appoint a data protection officer specifically to help with data protection law compliance.
Who is the data subject?
The person to whom, personal data relates, is called a data subject. A data subject must be a living individual that is identifiable from, the personal data.
What are personal data identifiers?
We’ve seen that personal data must identify an individual, directly, or indirectly. This means distinguishing the individual from others. Ways an individual can be directly identified (‘identifiers’) include:
- ID number
- An individual’s location
- Online identifiers such as IP and MAC addresses and device fingerprints
It’s also possible that someone could be indirectly identified from the information you hold, for example through a car registration number, a national insurance number or passport number. Consider whether, through a combination of the information you hold and other information held by a third party an individual could be distinguished from others.
A person’s name is the most common identifier but an additional identifier such as an address will be necessary to distinguish that individual from someone with the same name.
If you are holding data that identifies an individual you should:
- Keep the information secure
- Protect it from inappropriate disclosure
- Be open about how you are collecting the information
- Ensure that you are justified in any processing
What are related factors?
Identifying an individual from the data you hold is key to establishing whether or not the data is personal (and subject to GDPR). But that’s not the whole picture. For data to be caught by GDPR it must also relate to an individual. Is the information about the individual or in some way linked to them?
To establish whether information is related to an individual you need to examine the content of the data, consider the purposes for which you are processing it, and assess the likely impact this will have on the individual.
Examples of related factors that are about an individual or their activities include:
- Medical history
- Criminal record
- HR records
- Bank statements
- Phone bills
What is special category personal data?
Not all personal data requires the same level of protection. GDPR recognises that certain data is so sensitive that if it were to be the subject of a breach or cyber-attack the impact on the individual data subject would be significant. GDPR refers to this type of data as ‘special category data’.
It includes data relating to:
- Ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (where this is used for identification purposes)
- Health data
- Sex life
- Sexual orientation
If your business is processing special category data you are required to satisfy a series of additional conditions set out in GDPR. And because processing such data may carry a high degree of risk you will usually need to complete a data protection impact assessment (DPIA).
Is anonymised data still protected under GDPR?
If we bear in mind that the whole purpose of data protection law is to protect individuals from harm, it follows that the GDPR rules have no application to anonymised data. Data that has been anonymised correctly (so that it meets GDPR requirements) doesn’t relate to an identified or identifiable individual. Our training and advice sessions and the data protection audits we offer encourage organisations to anonymise data where possible because in doing so you limit your exposure to data breaches and regulatory intervention.
Is information about companies included as personal data?
No. GDPR applies only to data that relates to a natural as opposed to a legal person. It’s not concerned with data relating to companies, public authorities or other legal entities. GDPR however does apply to officers of a company, including directors and secretaries as well as to company employees.
It’s also worth noting that GDPR does not apply to data relating to deceased individuals.
What factors do you need to consider when processing personal data?
We’ve already touched on some of the factors to consider when processing personal data. Does it relate to an individual? Is the data particularly sensitive? Should you anonymise the data? Elsewhere on the website we answer many of the common questions about data processing.
You should also bear in mind the seven principles of GDPR that underpin the entire data protection regime. They require data to be:
- Processed lawfully
- Collected for a legitimate purpose
- Processed in a way that is limited to what is necessary
- Maintained accurately and kept up to date
- Kept in a way that identifies individuals only for as long as necessary
- Processed securely
Controllers and processors must also be able to demonstrate GDPR compliance – the accountability principle.
In addition to complying with these principles, data processors must be able to justify their processing – that is to say they must have a lawful basis for doing so. Grounds for processing include the fact that you have the individual’s consent, you are processing the data in performance of a public task or you have a legal obligation to process the data. Processors must also always bear in mind the rights of individuals and the importance of security when processing personal data.