GDPR is a Data Privacy and Data Protection law that needs to be interpreted rightly to achieve Compliance. While Personal Data is the core aspect of the Regulation, many are still unsure about whether or certain information meets the GDPR’s definition of personal data. While there is no definitive list of what is and what is not personal data, determining one can be tricky. So, all that it comes down to, is interpreting the GDPR’s definition of personal data rightly. Today’s article is about understanding GDPR’s definition of Personal Data and interpreting it right. So, let us first learn what Personal Data is and understand the context of it in the GDPR Regulation.
What is Personal Data as per GDPR Regulation?
GDPR Article 4, provides the following definition for “personal data”- Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Source ( https://gdpr-info.eu/art-4-gdpr/)
Personal data covers a broad category of information as defined in the GDPR Regulation. Let us take a closer look at the definition to understand the core elements of the definition a little better
- Any information- Any piece of data comprising of subjective and objective information and not limited to any particular format like video, audio, numerical, graphical, and photographic data can contain personal data.
- Related to Identifiable or identified data – Information relating to an individual that helps identify them can be considered as identifiers or identifiable data.
- Natural person– Natural person can be any individual who is alive and is not a company which is by law sometimes considered a “legal person”.
- Data subject– A controller or processor who holds personal information and who can be identified, directly or indirectly, by reference to that personal data (Article 4(1), GDPR).
- Identify individual directly or indirectly- An individual can be identified directly with certain information in hand or indirectly by using the information they possess and other additional information that they may get access to from another source. So, basically, any information that can lead to direct or indirect identification of an individual will likely be considered personal data under the GDPR.
Understanding these concepts are crucial for it helps organization in identifying personal data and determining data that falls in scope of GDPR.
GDPR Personal Data List
|Example of personal Data category
|General personal data
|Name, date of birth, email id, credit card number.
|Special category data
|Race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation, criminal records.
|Reference number, student number, IP address, membership number of the sports club, gamer's user name, or bonus card number.
Information not considered as Personal Data under GDPR Regulation
|Data of deceased
|Information relating to a deceased person does not constitute personal data and therefore is not subject to the UK GDPR.
|Anonymous information, namely information that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
|Information about a limited company or another legal entity, which might have a legal personality separate from its owners or directors, does not constitute personal data and does not fall within the scope of the UK GDPR.
Final thought – Understanding the context is critical
Personal data covers a vast category of information. So, it ultimately boils down to understanding the context and interpreting the definition of Personal Data under GDPR appropriately. The information shared above in this article is not an exhaustive list, but a guide to help you understand some of the concepts for determining whether the data processed is Personal Data under the GDPR Regulation.
At this point, understanding the context is very important. Organizations often collect different types of information about people. Even though the piece of data individually may not lead to identifying a person, but it could be a piece of information which along with other information could lead to identifying an individual. This way, the data collected by the organization may fall in the scope of the GDPR Regulation, requiring the organization to comply with requirements.
The more data gets combined and aggregated, it is more likely that the data may fall in the scope of GDPR as Personal Data. This will make things more difficult for organizations, especially for de-identifying data which may ultimately result in higher risks and responsibilities and further lead to potential GDPR fines and penalties.
So, it is recommended that organizations looking to achieve GDPR compliance, should approach a qualified DPO for assistance to determine whether your organization is on the right track. We at VISTA InfoSec have the expertise, knowledge, and experience of helping organizations achieve compliance. Our experts can guide your organization in the classification of data and help you in the journey of compliance. For more details on VISTA InfoSec, you can visit our site www.vistainfosec.com
- What is GDPR Data Flow Mapping
- GDPR Data breach Fines and Penalties
- A Guide to GDPR Compliance Audit
- Why is GDPR Risk Assessment essential for Compliance?
- GDPR Compliance In Canada For Canadian Business