GDPR Definition of Personal Data
The General Data Protection Regulation (GDPR) will govern how personal data collected within the European Union (EU) must be treated, but what is the GDPR definition of personal data? This question has been causing confusion for certain organizations but they still must have their systems in place to correctly process and collect data before the law come into force on May 25, 2018.
The term “personal data” is defined in the text of the GDPR’s Article 4, Definitions, but the definition which is given is very broad and intentionally vague. This means that groups must be careful with almost any data that they collect or process. There may even be differences in what is counted as personal data based on the activities, data collected, or processing requirements of the data controller or data processor – it is possible that context will play a role in what is defined as personal data.
The definition stated in Article 4 is that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”.
It is worth taking into account that the GDPR also states that “this Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.”
To summarize the definition, we can say that, for the most part, personal data under the GDPR governs data that can be used to identify a living person. However, it is important to look a bit deeper into this.
What can be Considered Personal Data?
As “data which can be used to identify a living person” is extremely general, we should examine the concept of “personal data” from a different angle and in respect to different contexts.
Let us imagine a company that is collecting the names of potential customers, one of whom is called John Smith. Given that this is a very common name, it is highly unlikely that the exact John Smith being referred to could be identified from just this name. If the company were to also collect a less common or unique name, for example Filip Phry, it is much more possible that this person could be identified by their name alone. John Smith may not be considered personal data in this case, whereas Filip Phry certainly could be.
Going further, imagine this company collects more detailed information on John Smith such as what city he lives in, his marital status, and his favorite brand of shoes. This combined information could be used to identify the correct John Smith and the information, including the name, could therefore be considered as personal data. The ability to identify the individual, directly or indirectly, is the key determining factor.
It is important to note that online and digital identifiers, such as IP addresses or usernames, may be considered as personal data.
What Action Should Organizations Take?
A first step for any organization is to audit their data, identify what could be considered personal data in their use case, and ensure that they have received consent in a GDPR compliant manner to continue processing it. If this is not done and personal data is stored, collected, or used in violation of the GDPR, the group could face incredibly harsh sanctions or financial penalties.