The General Data Protection Regulation, or ‘GDPR’, has finally settled in. As you have no doubt heard, “personal data” lies at the very core of the new regulation, but not all data is considered to be “personal data”. As such, and contrary to popular belief, the GDPR need not apply to certain types of data that business process, provided that such data is collected, stored and processed in the correct way.
In essence, “personal data” is information relating to living individuals who are identified, or can be identified, from that information. A wide array of information will qualify as “personal data”, ranging from the obvious (such as an individual’s name and date of birth), to the less obvious (like IP addresses). This, in turn, means that companies must comply with the GDPR, which includes the need to ensure that there is an appropriate legal basis for processing such data, that privacy policies include the correct information and that appropriate contractual provisions are in place with third party processors. It is clear, therefore that companies may want to avoid this.
One of the easiest ways for a company to avoid the need to comply with the GDPR is to not collect, control or process “personal data”. In other words, if companies are able to anonymise data to the point that such data cannot be used to identify a living individual, there will be no need to ensure GDPR compliance in respect of such personal data.
A method of anonymization may be that the personal data is “scrambling” (i.e. where the data is mixed or jumbled). For example, my name ‘Thomas Broster’ could be scrambled to become ‘Btostas Torhem’. Such data, once scrambled, is no longer considered personal data as it could not be used to identify me personally.
However for data to be considered “anonymised”, it doesn’t necessarily mean that it has to be impossible for anyone to trace the identity of the person. The ICO guidelines state that the key determinate is accessibility of re-identification, so if anonymised data is disclosed within a “secure local environment” it remains anonymous, as an organisation or a general member of the public still couldn’t use the information to identify the original person. It is important to note that anonymisation is not absolute – as it is determined by whether data makes a person identifiable, there are many borderline cases where the identifiability of a person isn’t clear-cut. It is better to take as many steps as possible to ensure that the risk of re-identification stays as low as possible.
For more information on anonymisation please consult the ICO code of practice here: https://ico.org.uk/media/1061/anonymisation-code.pdf
Many businesses and organisations today process vast quantities of personal data and therefore fall under the General Data Protection Regulations. Storing, amongst various other ways of handling data counts as processing the data, which consequently brings that organisation under the remit of the stringent rules and measures associated with the GDPR. Where possible, companies and businesses storing personal data should be aware that if it is anonymised, even if it is using their own formula (a “custom” anonymisation process), the handling of that data is unlikely to fall within the remit of the GDPR, therefore reducing the risk of non-compliance.