GDPR: The definition of personal data

The EU General Data Protection Regulation (GDPR) will take effect from May 25, 2018. Unlike previous European data protection directives, the Regulation will apply to any business anywhere in the world that processes the data of EU residents. With the Regulation expanding the definition of personal data, many organizations are uncertain what the definition now includes.

The scope of personal data

Let’s start with the circumstances under which the processing of personal data must meet the GDPR’s requirements. Article 2 of the GDPR states that the Regulation applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”

What constitutes personal data?

The GDPR’s definition of personal data is broad. Article 4 states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).” It adds that:

“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Perhaps the biggest implication of this is that, under certain circumstances, personal data now includes online identifiers such as IP addresses and mobile device IDs. Similarly, the GDPR introduces the concept of ‘pseudonymous data’ – personal data that has been subjected to technological measures (for instance, hashing or encryption).

The qualifier of ‘certain circumstances’ is important to highlight here, because it’s often the context in which information exists that determines whether it can identify someone. The same issue applies to the Data Protection Act, and the Information Commissioner’s Office (the UK’s data protection authority) uses the example of a person’s name to explain this issue:

“By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”

However, it also notes that names are not necessarily required to identify someone:

“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”

Generally, if you’re unsure whether the information you store is personal data or not, it’s best to err on the side of caution. This means not only making sure that data is secure but also reducing the amount of data you store and ensuring that you don’t store any information for longer than necessary.

GDPR training

As well as the changes to the definition of personal data, the GDPR alters or introduces many requirements for processing data. This includes stronger consent requirements, giving data subjects ‘the right to be forgotten’, and requiring some organizations to appoint a data protection officer (DPO). More information about these, and the GDPR in general, is available on our website.

If you’re looking for a thorough understanding of the GDPR, you should attend one of our certified training courses:

Certified EU General Data Protection Regulation Foundation (GDPR) Training Course

Gain a comprehensive introduction to the GDPR and a practical understanding of the implications and legal requirements for US organizations in this one-day introductory training course.

Next training dates:

Live Online (EST): 22 January 2018, 26 March 2018

Live Online (PST): 19 February 2018

Boston, MA: 5 March 2018

New York, NY: 19 March 2018

Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course

Learn from the experts how to meet the requirements of the EU GDPR. Gain a practical understanding of the tools and methods for implementing and managing an effective compliance framework, and how to fulfill the DPO role.

Next training dates:

Boston, MA: 6–9 March 2018

Book the Certified GDPR Foundation and Practitioner Combination Course and save 15%