The General Data Protection Regulation (GDPR) becomes UK legislation on 25 May 2018, replacing the current Data Protection Act (DPA) 1998. Under the GDPR, the definition of what constitutes ‘personal data’ will change.
Speaking at The Alan Turing Institute on 23 March 2018, Information Commissioner Elizabeth Denham said: “In the end, it comes down to building trust and confidence that organisations will handle their personal data fairly and in line with the law. When you understand and commit to that, compliance will follow.”
GDPR – a wider remit of data processing
The new data processing rules under the GDPR cover a wider remit of personal data than the DPA. They include “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or intended to form part of a filing system.” (GDPR, Article 2 )
What constitutes personal data?
The scope of ‘personal data’ under the GDPR is also broader than under the DPA. It will now constitute “any information relating to an identified or identifiable natural person.” Drilling down, it says that “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This definition involves several major changes. Possibly the most significant for most organisations, is the inclusion under ‘personal data’ of online identifiers such as IP addresses and mobile device identifiers.
Personal data that has been psyeudonymised – for example coded or encrypted – may also fall under GDPR rules, “depending on how difficult it is to attribute the pseudonym to a particular individual.”
The GDPR refers to sensitive personal data as “special categories of personal data”. This group is broadly similar to the ‘sensitive data’ definition of the DPA. Some key changes under the GDPR, however, are the inclusion of genetic and some biometric data “when processed to uniquely identify an individual”. Personal data relating to criminal convictions and offences are excluded under this definition, however extra safeguards do apply to its processing.
Under the GDPR, people’s names are not necessarily required to identify someone. It states: “Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”
If you’re unsure about what constitutes personal data, a good base rule is to err on the side of caution. Make sure data is secure, reduce the amount of data you store and the length of time you store it.
For information on Me Learning’s flexible, online GDPR training courses click here .
