<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Login
    Get started

    Personal Data Under GDPR - A Whole New World?

    Published on 16 Apr 2018 by Martin Schofield

    What constitutes personal data under GDPR?

    personal data under GDPR

    With GDPR, comes a widening in scope of what constitutes personal data. Historically, we have taken personal data to mean any data from which a living individual can be identified, name, address, date of birth or a combination of each for example.

    However, Article 2 of the GDPR widens the scope, applying to the “processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”

    And Article 4 of the GDPR defines such personal data as “any information relating to an identified or identifiable natural person (data subject)”. Adding that, “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

    It is clear from this, that even a computer IP address will, under GDPR constitute personal data.

    However, all of this has to be taken in context of the situation, for example, identifying someone by their name, you would think was a very clear-cut thing, but if that name were a very popular one, John Smith for example, is it as easy as you may have first thought to identity the John Smith to whom you may be referring? However, if you combine that name, with for example an IP address, physical address, place of work etc, then the identification of that natural person becomes possible.

    Similarly, not knowing the name of someone, does not mean that you do not hold sufficient information what constitutes personal dataabout them to be able to identify them, a neighbour for example, whose name you do not know, but you see them each day wearing a particular employer’s uniform, and of course you know their address. You may also notice a birthday party in progress one day, enabling you to ascertain their date of birth. When bringing this together, you know now the person’s employer, likely to be able to guess, if not know the location of their employment, their address and their date of birth – all indirect pieces of information, that when brought together allow for the direct identification of a natural person.

    In some, more extreme circumstances, even the first half of someone’s postcode alone, may allow you to indirectly identify them. For example, if the first part of a postcode relates to an extremely remote part of the country, within which there is only one farmhouse and only one person (the farmer) lives at that farm, then from the first part of the postcode, you can indirectly establish the identity of that natural person, hence the postcode is considered to be personal data.

    Another example is someone’s business card, handed out freely as a quasi-marketing tool, or in fact for the purpose for which it is intended, to provide someone with your contact details. These cards can, to be honest, often be found littering our streets, or on the platforms at train stations, but they nonetheless represent personal data – especially if the person is self-employed and perhaps their business address, telephone and email address are also their personal addresses and phone number.

    In this new world of increased scrutiny, public awareness and more severe financial penalties for getting it wrong, it is perhaps safer, at least for now until the new world embeds into our consciousness, to encourage ourselves and our staff to consider all data, to be personal data?

    Want to know more about GDPR?

    As well as 30+ free compliance training aids, we regularly publish informative GDPR blogs. And, if you're looking for a training solution, why not visit our GDPR course library.

    If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!

    Leave a comment

    Tick

    Free Trial: Compliance Essentials

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Request now

    What are the Best Workplace Learning Theories?

    Learning theories have been developing for decades, each has their own merits. We look at six of the most well established theories to explain how you can use them to improve outcomes. When designing ...

    Read More
    Biggest GDPR Fines of 2019

    Penalties for breaching the GDPR can reach up to €20 million or 4% of annual global turnover, whichever is highest. We examine the size and reasons for the biggest GDPR fines of 2019. Ever since ...

    Read More
    Highest FCA Fines of 2019

    The FCA issued a record total of £392 million in fines in 2019. In fact, the two largest fines in 2019 were larger than the 2018 totals. We've analysed they key corporate and individual fines in ...

    Read More
    Why a Blended Approach Drives Engagement & Learning Outcomes

    It is critical that you provide training that engages your learners, but should that be face-to-face, e-learning, mentoring or something else? We explain how to blend for success... Whilst compliance ...

    Read More