How was personal data defined pre-GDPR?
Under the Data Protection Directive (DPD), the definition of personal data was “any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (article 2 (a)). Such information included names, images, contact information, or personal identification numbers like bank accounts or NI numbers.
GDPR personal data definition
Within the GDPR, personal data is defined as information “relating to an identified or identifiable natural person (‘data subject’)”. The definition has been broadened under the GDPR to include location data, biometric data and online identifiers such as IP addresses and mobile device identifiers. The list of potential identifying factors has also been expanded to expressly include genetic factors.
The GDPR's expansion of the definition of personal data indicates the modern methods used by organisations to collect data on consumers. Since 1995, the Internet has become more widely available to people across the world and as such more information about consumers is available online. Organisations can use technology to gather specific data, such as geo-locations, and then use this information for targeted marketing. Under the GDPR, targeting marketing methods like profiling (where a company uses a customers' browser history, purchase history, etc. to deliver specific content) will no longer be allowed unless customers specifically consent to this use or where organisations are able to demonstrate that they have a legitimate interest in such processing, which does not override the interests of individuals.
How to identify personal data?
When considering what constitutes personal data, it's important to consider the context. Information that could apply to multiple people is not personal information. For example, many people can share the same first name, but few people share the same name and live in a certain town or work in a certain office. On the other hand, personal data, such as bank account numbers or IP addresses, can easily identify a specific individual without the assistance of additional information.
Determining what constitutes as personal data can include a lot of grey areas. To make the process a bit clearer, it can be helpful to ask a series of questions:
- Can the person be identified through direct or indirect means?
- Can the individual be identified through online identifiers such as an IP address?
If you answer yes to any of these questions, then it's likely that your company collects, and processes personal data and you must comply with GDPR guidelines.
How to protect personal data?
The GDPR recommends, when appropriate, that data should be pseudonymised to prevent personal data being attributed to a specific individual. Pseudonyms involve replacing crucial, identifying information with pseudonyms, which makes it harder to link the data to an individual. However, according to WP29, the independent European Union Advisory Body on Data Protection and Privacy state that “pseudonymisation techniques alone cannot be regarded as making the data unintelligible.”
As a result, the GDPR also recommends that data is protected by appropriate technical and organisational measures to ensure a level of security appropriate to the risk which may include pseudonymisation of data encryption where appropriate. Encryption translates the data to a code that is unintelligible to individuals without the decryption key. In other words, it should prevent unauthorised individuals from accessing information. Thus, it is widely heralded as one of the safest ways to protect information and keep it from falling into the wrong hands.
What happens if you fail to properly protect data?
There are some serious consequences for organisations that fail to properly protect individuals’ personal data. In addition to damaged reputations and profit loses, organisations that fail to comply with GDPR requirements could also face fines of 10 to 20 million Euros or 2% to 4% of international profits (whichever is greater).
To make sure that your company is properly prepared for the GDPR, check out our other articles explaining GDPR compliance and data breaches (including how/when to report).