The General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) has been introduced in the EU with the aim of improving the protection of personal dataInformation which relates to an identified or identifiable natural person.. Understanding whether an organisation is processing personal data is key to determining whether the GDPR applies.
Article 4(1) GDPR defines personal data as ‘any information relating to an identified or identifiable natural person (‘data subject’)….. by reference to an identifier’
The ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. explains that a data subjectAn individual who can be identified or is identifiable from data. is identified or identifiable if they can be distinguished from other individuals using the data in question alone (directly), OR when combined with other information (indirectly).
Key points to be aware of:
The GDPR provides some examples:
This list is non-exhaustive, so other pieces of data could be considered personal, including job title, religious beliefs, or even hair colour!!
In order to processA series of actions or steps taken in order to achieve a particular end. this data, a company must have a lawful basis under Article 6 of the GDPR
This is data that is deemed to be of a more sensitive nature (i.e. the data you really don’t want others to know about you), therefore requires increased protection, as it could create more significant risks to an individual’s rights and freedoms.
Examples: race or ethnic origin, religious or philosophical beliefs, health, genetic or biometric data etc.
With special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal..., as well as requiring a lawful basis for processing under Article 6, one of the conditions under Article 9 must be satisfied.
Anonymisation of data ensures individuals can’t be identified from it directly or indirectly, so it is no longer classed as personal data and not subject to the GDPR – making sharing data easier. Removing direct identifiers from a dataset, reducing the precision of variables and generalising findings are just a few ways of anonymising data.