This blog has been updated to reflect industry updates. Originally published June 2017.
On 25 May 2018, the EU’s GDPR (General Data Protection Regulation) superseded the UK’s DPA (Data Protection Act) 1998. With the Regulation expanding the definition of personal data, many organisations were uncertain as to what the new definition includes.
The scope of personal data
Let’s start with the circumstances under which the processing of personal data must meet the GDPR’s requirements. This set of circumstances is now broader than under the DPA, with Article 2 of the GDPR stating that the Regulation applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”.
What constitutes personal data?
The GDPR’s definition of personal data is also much broader than under the DPA 1998. Article 4 defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’)”. It adds that:
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Perhaps the biggest implication of this is that, under certain circumstances, personal data includes online identifiers such as IP addresses and mobile device IDs. Similarly, the GDPR introduces the concept of ‘pseudonymous data’ – personal data that cannot be attributed to the data subject without some additional information.
The qualifier of ‘certain circumstances’ is important to highlight here, because it’s often the context in which information exists that determines whether it can identify someone. The same issue applied to the DPA 1998, and the ICO uses the example of a person’s name to explain this issue:
By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.
However, it also notes that names are not necessarily required to identify someone:
Simply because you do not know the name of an individual does not mean you cannot identify that individual. Many of us do not know the names of all our neighbours, but we are still able to identify them.
Generally, if you’re unsure whether the information you store is personal data or not, it’s best to err on the side of caution. This means not only making sure that data is secure, but also reducing the amount of data you store and ensuring that you don’t store any information for longer than necessary.
DPO as a service (GDPR)
GRCI Law’s DPO as a service enables you to outsource the DPO role to an expert, helping you to comply with your GDPR obligations without losing focus on your core business activities.
Our DPO team has experience advising clients in a wide variety of sectors, including financial institutions, professional services, education, and health and social care, and we can tailor our service to your unique requirements.