GDPR Compliance: Personal Data

GDPR Compliance: Personal Data

What is personal data?

At the core of the GDPR (General Data Protection Regulation) is the concept of personal data. Despite this, many organizations remain unsure as to what exactly constitutes personal data. This is a matter of serious concern, as failure to meet compliance requirements can result in data breaches and disciplinary action.

In a series of articles, we will provide you with the information you need to understand the General Data Protection Regulation (GDPR) and comply with its requirements. We will give you tips, show you real-life examples, help you understand the implications of privacy legislation and take the necessary steps to ensure compliance. 
GDPR compliance is not just about avoiding legal penalties or fines. It is also about ensuring that your business is competitive, reputable, and profitable. By taking the necessary steps to comply with the GDPR, you can improve customer satisfaction, build trust, and increase your revenue. 

Organizations may find it difficult to comply with the GDPR due to the lack of a clear-cut definition of what constitutes personal data. Without a data protection expert on staff, the task of correctly interpreting the GDPR’s definition can be a challenge. The GDPR does not provide a comprehensive list of what is and isn't considered personal data, making it difficult for organizations to know the full extent of their responsibilities.

Personal data is any information that can be used to identify an individual. This includes information such as a name, address, phone number, email address, and other data that can be linked to a specific person.

The GDPR further specifies that personal data is any information that can be used to identify a person, either directly or indirectly, through an identifier such as a name, identification number, location data, online identifier, or any combination of factors related to the physical, physiological, genetic, mental, economic, cultural, or social identity of the individual.

It is worth noting that in certain situations, someone's IP address, hair color, occupation, or political views may even be considered personal data. Context is key when determining whether information should be classified as personal data, so the phrase 'certain circumstances' should be given emphasis.

Context is important

Context is paramount when it comes to collecting data on individuals. Even if a single piece of information may not be enough to identify someone, when combined with other data points, it can become very meaningful. For instance, a company that offers products for download may ask customers to provide their occupation.

This does not qualify as personal data as defined by the GDPR since a job title is not exclusive to one individual. Additionally, a company could inquire about what company someone works for, but this would not be able to identify a person unless they are the only employee.

By combining certain pieces of information, it is possible to pinpoint the identity of a person in the real world. For example, if a person is specified by their job title and the organization they work for, there is likely to be only one person that fits that description.

In some cases, two pieces of information like knowing someone is a cashier at Walmart may not be considered personal data. However, it is unlikely that this information would be stored without a unique identifier, such as a name or payroll number.

Is a name personal data?

Names alone may not be considered personal data, as there could be many people with the same name, but when combined with other information such as an address, place of work, or date of birth, they can be used to identify an individual. The UK's Information Commissioner's Office explains that this combination of data can make a name become personal data. "However, where the name is combined with other information (such as an address, a place of work, or a date of birth) this will usually be sufficient to clearly identify one individual.”

Furthermore, the ICO points out that it is not essential to know someone's name in order to identify them: “You don't need to know the name of an individual to be able to identify them; many of us can recognize our neighbors even if we don't know their names.”

Determining personal data

It can be difficult to determine if certain information falls under the definition of personal data as outlined by the GDPR. To help you navigate this issue, here is a list of items that may qualify as personal data either alone or when combined with other information:

Private and subjective data, including religion, political opinions and geo-tracking data. Health, sickness and genetics, including medical history, genetic data and information about sick leave. 

Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses. 

Looks, appearance and behaviour, including eye colour, weight and character traits.

Workplace data and information about education, including salary, tax information and student numbers.

How should your organization handle personal data?

It is best to err on the side of caution if you are unsure whether the information you store is personal data or not. You should also strongly consider pseudonymising and/or encrypting information, particularly if it is a special category of personal data. Additionally, the processing of personal data should be limited to what is necessary and data should be kept only for as long as it serves its purpose.

By replacing personally identifiable information with artificial identifiers, pseudonymisation masks data. It is an important element of data protection, being mentioned 15 times in the GDPR, and can help to protect the security and privacy of personal data. Despite its usefulness, pseudonymisation has its limitations, which is why the GDPR also mentions encryption.

Encryption can be used to hide data by substituting identifiers with something else. While pseudonymisation allows for people with access to the data to view a portion of the data set, encryption only permits authorized users to access the entire data set. Both of these techniques can be employed together or independently.

Ask a privacy professional

If you are uncertain about how to properly manage the personal data you collect, you should seek advice from a privacy professional, like a Data Protection Officer (DPO). A DPO is an independent specialist hired to provide guidance to organizations on meeting their GDPR compliance standards. They are responsible for a variety of tasks, such as informing and advising the organization and its staff of their obligations under GDPR.

The GDPR stipulates that certain organisations must appoint a Data Protection Officer (DPO), but the benefits of doing so can be substantial even if the criteria are not met. A DPO can be responsible for monitoring the organisation's data protection policies and procedures, recommending to management when Data Protection Impact Assessments (DPIAs) are necessary, and acting as a point of contact between the organisation and its supervisory authority.

Share this Post

Ready to kick-start your career?


About The Blog

Stay up to date with the latest news, background articles, and tips for your study.

Our latest video


Tailored Training Solutions

Let's find the best education solution for your situation. We will contact you for Free Support!

Success! Your message has been sent to us.
Error! There was an error sending your message.
It’s for:
We will only use your email address to contact you regarding your education needs. We do not sell your personal data to third parties.