Understand what is meant by ‘personal data’ under the GDPR legislation, including definitions of special category personal data and what your small business needs to do to store, use and protect data. Sponsored article by iCaaS.
The introduction of the GDPR has brought with it a renewed increase of awareness around data privacy and protection.
The term personal data is banded about freely. But what exactly is meant by personal data?
Personal data is any type of data that can be used to directly or indirectly identify an individual, often referred to as the data subject.
The data protection watchdog, the Information Commissioner’s Office (ICO) explains that this could include a name, picture, phone number, address, IP address or even a user name.
Megan Kane, GDPR Practitioner at iCaaS GDPR Management explains:
“Personal data refers to any information that could identify someone either directly or indirectly.
Basically what this means is, if you have more than one type of data in front of you such as a name, job title and company name of an individual, it’s extremely likely you would be able to pinpoint that person through the information you have and this information would be classed as personal data.
On the other hand you may only have a name of an individual with no other information making it very unlikely that this one piece of information would lead you to a specific individual without anything else to help you do so, in this instance it would not be classed as personal data.”
The law defines personal data as “any information relating to an identified or identifiable natural person.” In other words, data is personal data — and, so, protected by GDPR — if it can be used to reveal an individual’s identity.
Personal data refers to any information that could identify someone either directly or indirectly.
Megan Kane, GDPR Practitioner at iCaaS
Your business and personal data
The collection, processing and storage of personal data is strictly regulated by the GDPR. That is why it’s so important to know what constitutes as personal data and to know exactly how personal data is collected, managed and stored. Understanding whether you are processing personal data is critical to understanding whether the GDPR applies to your activities.
Your use of personal data must also be documented, and you must clearly inform your customers how you are collecting and using their data.
Does your organisation have the correct methods in place to facilitate the correct storage and management of personal data? These are all vitally important questions that you need to ask in order to ensure your company is and remains GDPR compliant.
Processing personal data covers a wide range of operations performed on personal data, including by manual or automated means. The ICO also makes it very clear that the law doesn’t only cover data that is in electronic form but also within paper files.
- personal data processed wholly or partly by automated means (that is, information in electronic form); and
- personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (that is, manual information in a filing system).
GDPR applies whenever a business collects, processes or tracks the personal data of an individual who is physically located in the EU.
You should know what personal information you collect and whether any of it is sensitive. All businesses must maintain records of the processing activities that they are responsible for or for which they undertake on behalf of those who are responsible.
What is special category personal data?
Just recently, the ICO now recognises a new heading – that of special category personal data.
This can include information about a person’s health, sex life or sexual orientation, racial or ethnic origin, political opinion, religious or philosophical beliefs, membership to a trade union, as well as genetic and biometric identification data.
In a nutshell, special category data is personal data that needs more protection because it is so sensitive.
In order to lawfully process special category data, a lawful basis must be identified and also have a separate condition for processing.
In a blog on the ICO website, Ian Hulme, Director for Regulatory Assurance at the ICO explained:
“Special category data is the most sensitive personal data a controller can process. The misuse of this data is likely to interfere with an individual’s fundamental rights and freedoms and could cause real harm and damage.”
He added: “Firstly, as always, you must have a GDPR lawful basis to process data under Article 6. However, when processing special category data, you also need an Article 9 condition for processing and potentially an associated DPA 2018 Schedule 1 condition.
Many of the DPA 2018 conditions require you to have an appropriate policy document in place. This is a short document that should outline your compliance measures and retention policies with respect to the data you are processing.
“We have a template appropriate policy document in our guidance to help organisations.
“There is more to do when processing special category data, but the provisions are in place to help you protect the data of those whose information you hold and increase their confidence in you. It’s worth taking the time to get it right.”
All businesses, including yours, should take due diligence around processing all personal data – including special category data. Non-compliance of the GDPR can lead to fines of up to €20 million (£17.5m) or 4 per cent of its annual turnover, depending on which is higher.
Personal data and the General Election
The forthcoming General Election on December 12 has raised serious issues regarding the use of personal data.
An investigation involving the Brexit Party had important implications for the way personal data is viewed as an asset in political campaigns.
Sky News reported that The Information Commissioner’s Office (ICO) investigated claims over its failure to hand over personal voter data.
They were responding to complaints that they had failed to respond to requests for data which allegedly dated back to the European elections in May.
Under the GDPR, people have a right to access a copy of their personal data from an organisation through the Subject Access Request (SAR) process. They are entitled to a response within a month, free of charge.
Your business is responsible for the personal data you collect. You risk getting fined if it falls in the wrong hands.
A good starting place is to identify what personal data is (and isn’t) and where you can find this data for your business specifically. Remember:
- Personal data must be correctly identified as such.
- Digitised personal data can be found in many different places within your systems’ storage locations. Personal information can also be found in documents, spreadsheets, email messages, and other types of files.
- There is now also special category personal data, which includes such information as a person’s health and sexual orientation.
- Remember that under the GDPR, everyone is entitled to access their personal data held by organisations with a SAR.
By taking steps to achieve GDPR compliance, you can position your small business as one that truly cares about its customers’ private data and stay on the right side of the law.