How will the term “Personal Data” be defined within the GDPR?

First published November 2016

Sweeping changes to data protection in the European Union will come into enforcement in 2018 – May 25^th to be precise – when the new General Data Protection Regulation (GDPR) is fully implemented across Europe. These changes will affect businesses in the UK in many ways, even with the status of Brexit negotiations still outstanding.

The GDPR is strongly focused on the rights of the data subject, i.e. individuals living in Europe, and their personal data. But ‘personal data’ is such a generic term. What exactly does it encompass, and how will that change when the GDPR comes into effect?

The current definitions of personal data

Under the current EU Directive on Data Protection, and the existing UK Data Protection Act, personal data is broadly defined as:

Any information relating to a living, identified or identifiable natural person.

This could be directly (e.g. a person’s name) or indirectly (e.g. the owner of that business). The definition of personal data applies to any piece of information which can used to identify an individual, based on ‘all means reasonably likely to be used’.

So for example, a user ID number is classed as personal data, because it can be matched to the name of a user on a database. The term ‘personal data’ still applies to data even if it requires the use of information elsewhere to identify an individual.

Under the current Data Protection Directive, personal data includes:

• Identifiable information such as numbers
• Factors specific to a person’s physical, physiological, mental, economic, cultural or social identity

Expanded definitions of personal data under the GDPR

Given the vast nature of personal data, one of the main reasons for the introduction of the GDPR is to more clearly define what should be classed as identifiable information and codify this into law.

The new regulations update definitions of personal data to reflect modern lifestyles, changes in technology and the way in which organisations, companies and businesses collect and store information.

The GDPR keeps the same broad definition of personal data as “data from which a living individual can be identified or identifiable (by anyone), whether directly or indirectly, by all means reasonably likely to be used.”

However, it goes on to clearly state examples of this personal data, and specifically adds new identifying types of data to its definition. This includes:

• Names
• Location data
• Online identifiers

Location data is not specifically defined, but associated with data that has any kind of geographic position attached to it. This is classed as personal because it could be used to identify where an individual lives, works, and sleeps, or to find out social, religious or cultural identities.

Online identifiers refer to digital information such as IP addresses, cookie strings or mobile device IDs. For example, as an IP address can be used to find out where an individual is located, it is clearly personal data.

Many of these information types are already considered to be personal data, and have all undergone much discussion, scrutiny and court cases in both Europe and the wider world. Whilst many organisations currently treat these identifying information types as personal data, they have now been enshrined in law.

New additions to categories of sensitive data

As a sub-category of personal data, sensitive data refers to a more specific type of personal data that should be treated with extra protection and care. The current definition of this includes information such as:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade-union membership
• Health or sex life

Under the GDPR, sensitive data is given more enhanced protection, with explicit consent required for its processing. Two new information types are added to this classification too: genetic data and biometric data.

Genetic data specifically refers to gene sequences, which are used for medical and research purposed. Biometric data includes fingerprints, retinal and facial recognition.

With many buildings now using fingerprint entry systems, and facial recognition programmes a common feature on numerous mobile applications, it’s easy to see how the GDPR’s new definitions of personal data will have far-reaching consequences.

Encouraging pseudonymisation

One common question often associated with the issues of data protection is if data is encrypted, is it still personal?

The GDPR seeks to address this with the introduction of a new concept – pseudonymisation. Its official definition is:

“The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person.”

In some respects, this is just specifically defining a practice that is already used by many organisations and businesses – hashing (at its most basic), encrypting, or, in the most comprehensive sense, anonymising data so that it isn’t personally identifiable without decryption.

This protects data from causing personal harm if it is leaked, stolen or used for nefarious reasons. Without another piece of information, the data cannot be associated with an individual personal.

So does that mean it’s data that is no longer personal? According to the GDPR, no, it is still considered a type of personal data, despite its encryption. So it is still subject to the same rules and procedures under the new General Data Protection Regulation.

However, certain provisions of the GDPR will be relaxed if data is pseudonymised, and some processes could be exempt from compliance rules. Most notably, data breach rules will not be as stringent if the data concerned has been pseudonymised.

Companies will also benefit from more flexibility with data profiling too. If data is anonymised in such a way that the data subject is no longer identifiable at all, then the GDPR states that the principles of data protection should not apply.

The impact on businesses

These exceptions have been put in place as incentives to encourage businesses to pseudonymise or encrypt data at every opportunity. Indeed, frequent references are made to pseudonymisation throughout the GDPR framework, including descriptions of it as a safeguarding tool.

It is essential therefore that companies look at this process as part of a wider review on how they deal with data and its protection. Although it might be costly to initially implement, businesses should consider pseudonymisation of personal data in order to take advantage of some of the relaxed regulations and incentives for data processing.

It will also improve the mitigation of risk and the management of compliance, reducing the possibility of data breach and subsequent prosecution – which could be extremely tough under the new GDPR.

For those businesses with a large digital presence, including those companies outside of the EU who interact with European citizens online, the new definitions including online identifiers as personal data will have a big impact on social media, analytics and advertising. These are just a few of the areas that will need to be investigated further.

Overall, there’s a clear need to develop a comprehensive understanding of personal data and what this refers to, using the expanded definitions to revisit procedures, update processes and improve the security of systems.

Is your business ready for the GDPR? Take a look at our resources for all the information you need to prepare for the new regulations.