Determining what is personal data for GDPR purposes could be complex.
Broadly speaking, personal data is any piece of information that can be used to identify a person.
The key points:
The information must relate to an identified or identifiable natural person.
All information that can be used to identify a natural person comes under the scope of the Regulation. This can be direct or indirect identification. There is some information that can be used to identify a natural person directly; for example, the combination of a natural person’s name and date of birth. There is other information that can indirectly identify a natural person. For example, specifically referring to the Marketing Manager of ABC Limited could help identify that individual and hence is covered by the GDPR.
Online identifiers are fully covered by the GDPR. Recital 30 of the Regulation says “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them”. This means that data recorded by and obtained from smart phones, software applications, IP addresses, cookies used for website tracking or lead forensics, location information and social media profiles are all personal data for GDPR purposes.
The context in which personal data is collected and processed is very important. In certain circumstances, the available information may not directly identify the individual but may enable a reasonable guess to be made. If so, that information is indeed personal data.
GDPR extends its coverage to information pertaining to genetic, physiological, mental, economic and the social identify of a natural person. This includes information gathered through profiling i.e. data gathered through automatic processes for the purpose of evaluating personal aspects relating to a natural person such as performance at work, shopping interests, personal preferences or other behavioural patterns.
Recital 26 makes it clear that the principles of data protection do not apply to anonymous data i.e. data which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the natural person to which it relates is no longer identifiable.
One of recommended controls over personal data is pseudonymisation, which we will look into in a separate article.
When discussing personal data, it is important to remember that the primary aims of the GDPR are to (1) protect natural persons with regard to the processing of personal data and rules relating to the free movement of personal data and (2) protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. Recital 6 of the Regulation says “Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally”. Given that the rights of individuals are paramount, any technological or online identifier, that on its own or in conjunction with other identifiers, which can identify a natural person is covered by the GDPR and merits the implementation of protection and compliance measures around it.
Chamber Train also offers a half day or full day compliance course in GDPR which through hands on learning will teach you what changes your organisation may need to action to remain compliant. Click HERE for more information.
By Subrahmaniam Krishnan-Harihara, Research & Analytics Manager Greater Manchester Chamber of Commerce