GDPR: What is “Personal Data”?
We see the question asked time and time again: “what information is considered to be personal data?”. And rightfully so.
Having a clear understanding of information that is (and is not) “personal data” could be the difference between you being able to exploit that information to bring value to your business, and it not being exploited at all.
We’re sure you’ve heard by now: all “personal data” must be processed in accordance with the General Data Protection Regulation (or “GDPR”). In the very least, this means that:
- you must inform individuals about the various rights they benefit from in relation to the personal data (for example, the right to request the erasure of personal data, or the right to have personal data updated/corrected);
- the personal data should not be processed by you unless you have a “lawful basis” for processing;
- if you are relying on having obtained consent from an individual in order to have a “lawful basis”, that consent must have been obtained in a manner clearly distinguishable from other matters, and must be “freely given, specific, informed and unambiguous”; and
- other fact-specific requirements must be observed.
So what counts as “personal data”?
Essentially, “personal data” is any information which identifies, or can be used to identify, a living individual. Obvious examples are:
- a name and surname;
- email addresses containing an individual’s name and surname;
- home address; and
- an ID number.
Less obvious examples may be:
- location data;
- an Internet Protocol (IP) address (or other online identifiers);
- a Cookie ID; and
- biometric data.
So, as you can see, the definition of what amounts to “personal data” is very broad.
Information will also be considered to be “personal data” if it does not identify an individual in and of itself, but when collected or paired together with other information held by the data controller, can lead to the identification of an individual.
Further, information that is “pseudonymised”, but which can be reverse engineered to re-identify an individual will also be considered to be “personal data”. As such, the information will not be considered to be truly “anonymised” unless an individual’s identity is irreversibly removed, or distorted, from such personal data.
If you’re concerned that you are not GDPR-compliant, please speak to our data protection solicitors to discuss how we can help.
Written by Tom Broster, Solicitor