GDPR came into force nearly three years ago, but confusion remains about what does, and what doesn’t, constitute ‘personal data’ under the regulation. Get up to speed on the key definitions and what you need to do to correctly process this kind of sensitive information.
What Is Personal Data?
Personal data is information that relates to an identified or identifiable living individual. That’s something that could be used to distinguish one person from another, either directly or indirectly in combination with other information. This might be something simple – like a name or ID number – but other identifiers are included too.
Some of the most common types of personal data include:
- A person’s first name and surname
- A home address
- An email address
- A card number from a form of ID, e.g. driving licence
- Medical data
- Biometric data, e.g. fingerprints
- Location data
You are subject to GDPR rules if your organisation processes personal data, even if it’s done automatically, or if it’s done manually to form part of a filing system. That means it doesn’t matter what technology you’re using or how you’re processing the data. Whether you’re using a modern IT system or relying on paper, the same rules apply.
What About IP Addresses and Cookies?
The GDPR also refers to ‘online identifiers’ – information relating to the device that an individual is using, such as their computer; applications; tools; or protocols. These may also be considered personal data. Some examples include internet protocol (IP) addresses, cookie identifiers, advertising IDs, pixel tags, account handles and device fingerprints.
Any of these could be used to build up a profile, especially in combination with other information. When assessing the online identifiers you process, you’ll need to consider whether these could be used to distinguish one user from another.
For example, marketing cookies use online identifiers to track individuals and build up distinguishable profiles to provide them with targeted content. These cookies would be considered personal data. Even if these are installed by third parties as part of your website, your organisation is still responsible for them under the GDPR.
In addition to ensuring that you comply with GDPR with your use of cookies, you need to be aware that separate legislation exists that covers cookies; make sure your use of cookies complies with the Privacy and Electronic Communications Regulations (PECR) too.
What if the Data Is Anonymised?
While it might be prudent to de-identify, encrypt or pseudonymise personal data to mitigate the damage of a security breach, this kind of information still falls under the scope of the GDPR. That’s because it can still be used to re-identify a person.
However, if the data has been rendered anonymous – meaning that the individual is not or is no longer able to be identified, and this process is irreversible – then it will no longer be considered personal data for the purpose of the GDPR.
Making all personal data anonymous won’t be an option, or useful, for most organisations. But, in some cases, it can reduce the quantity of personal data you have to protect. Your organisation’s website, for example, might process the IP addresses of site visitors, but you probably don’t need them to be personalised, so you could take steps to anonymise them.
However, in some cases, such as a hospital protecting the identities of individuals patients but wanting to publish statistics about treatments, anonymisation can enable them to make information public while following the law.
How Should You Handle Personal Data Under GDPR?
Once you’ve established which information you’re processing counts as personal data, you need to make sure that you’re collecting it, storing it, and processing it in line with GDPR requirements. If you’re processing large amounts of data you may need to appoint a Data Protection Officer (read our article to find out whether you need to appoint a DPO).
With technology changing rapidly, ensuring continued compliance might feel a bit overwhelming, which is why we’ve put together a guide to help. Take a look at our guide and find out how to comply with GDPR.
Find Out More About GDPR
Since GDPR was released the understanding of the rules and how to interpret them has evolved. Our article “Everything you wanted to know about GDPR in 2021” provides a helpful update on current thinking. You may also find it useful for impacted staff to complete our online GDPR training course, which explains the most important factors and includes a test to assess their understanding of the rules – if they pass they will be awarded with a certificate, confirming their achievement.
