The General Data Protection Regulation (GDPR) has been introduced in the EU with the aim of improving the protection of personal data. Understanding whether an organisation is processing personal data is key to determining whether the GDPR applies.
Article 4(1) GDPR defines personal data as ‘any information relating to an identified or identifiable natural person (‘data subject’)….. by reference to an identifier’
The ICO explains that a data subject is identified or identifiable if they can be distinguished from other individuals using the data in question alone (directly), OR when combined with other information (indirectly).
Key points to be aware of:
The GDPR provides some examples:
This list is non-exhaustive, so other pieces of data could be considered personal, including job title, religious beliefs, or even hair colour!!
In order to process this data, a company must have a lawful basis under Article 6 of the GDPR
This is data that is deemed to be of a more sensitive nature (i.e. the data you really don’t want others to know about you), therefore requires increased protection, as it could create more significant risks to an individual’s rights and freedoms.
Examples: race or ethnic origin, religious or philosophical beliefs, health, genetic or biometric data etc.
With special category data, as well as requiring a lawful basis for processing under Article 6, one of the conditions under Article 9 must be satisfied.
Anonymisation of data ensures individuals can’t be identified from it directly or indirectly, so it is no longer classed as personal data and not subject to the GDPR – making sharing data easier. Removing direct identifiers from a dataset, reducing the precision of variables and generalising findings are just a few ways of anonymising data.
If you require assistance identifying your data, or help with your organisation’s data protection processes, please contact us.