Personal data in GDPR context
What is GDPR? A small background.
GDPR stands for General Data Protection Regulation. It’s a a set of rules, a main law setup to protect the personal data of European Union (EU) citizens.
What exactly is Personal Data?
Personal data is at the centre of GDPR. To know exactly what is personal data is an important place to start if we want to fully grasp GDPR. There is actually no definite list of what is or isn’t personal data. The only way is to properly understand GDPR’s definition and grasp the spirit of what the rules are trying to achieve.
Personal data means any information relating to an identified or identifiable natural person. The words to note are:
- “Any” – This puts the scope of what constitutes as personal data very wide.
- “An identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data points coming together to become personal data. The interception of data to narrow down to specific person.
Do you know that someone’s IP address, hair colour, job or political opinions could be considered personal data?
Organisations usually collect more than one type of information about us. One piece of data may not be able to individuate a person. However this piece of data could complete the puzzle. When combined with other data, data can intercept and adequately narrow down to a specific person. In this circumstance, all the data involved becomes classified as personal data.
For example, a website that collects information of the “occupation” of its users. By itself “occupation” is not a personal data under the GDPR definition, because many people can have that occupation. In the same way, a website can collect data of “company worked for” , which, again, couldn’t identify someone as there are many employees within the company (unless the company only has that one employee). However, when “occupation” and “company worked for” comes together, they can intercept and narrow down the number of people to such an extent that we could reasonably pinpoint to a specific person.
Surprised! Name may not be a personal data
The UK’s Information Commissioner’s Office:
“By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”
And names aren’t necessarily required to identify someone:
“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”
To help us and give us a better guideline of what could be considered personal data, either by itself or combined with other data, cloud services company Boxcryptor provides the following list for reference.
- Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses. Looks, appearance and behaviour, including eye colour, weight and character traits.
- Workplace data and information about education, including salary, tax information and student numbers.
- Private and subjective data, including religion, political opinions and geo-tracking data. Health, sickness and genetics, including medical history, genetic data and information about sick leave.
When these information are captured, it is recommended that data be stored securely within a trusted information or Electronic Document Management System (EDMS), where access to these information is controlled and by measures such as role-based access and full audit trails. Read up more about data protection in Singapore’s context from our resources.