The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).... (GDPR) has been introduced in the EU with the aim of improving the protection of Information which relates to an identified or identifiable natural person..... Understanding whether an organisation is processing personal data is key to determining whether the GDPR applies.
Article 4(1) GDPR defines personal data as ‘any information relating to an identified or identifiable natural person (‘data subject’)….. by reference to an identifier’
The ICO explains that a An individual who can be identified or is identifiable from data.... is identified or identifiable if they can be distinguished from other individuals using the data in question alone (directly), OR when combined with other information (indirectly).
Key points to be aware of:
The GDPR provides some examples:
This list is non-exhaustive, so other pieces of data could be considered personal, including job title, religious beliefs, or even hair colour!!
In order to A series of actions or steps taken in order to achieve a particular end.... this data, a company must have a lawful basis under Article 6 of the GDPR
This is data that is deemed to be of a more sensitive nature (i.e. the data you really don’t want others to know about you), therefore requires increased protection, as it could create more significant risks to an individual’s rights and freedoms.
Examples: race or ethnic origin, religious or philosophical beliefs, health, genetic or biometric data etc.
With Personal data which requires more protection because it is sensitive in nature. GDPR defines special category data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning health, a person's sex life, or sexual orientation...., as well as requiring a lawful basis for processing under Article 6, one of the conditions under Article 9 must be satisfied.
Anonymisation of data ensures individuals can’t be identified from it directly or indirectly, so it is no longer classed as personal data and not subject to the GDPR – making sharing data easier. Removing direct identifiers from a dataset, reducing the precision of variables and generalising findings are just a few ways of anonymising data.
If you require assistance identifying your data, or help with your organisation’s data protection processes, please contact us.