GDPR is built around protecting the personal data of EU citizens and residents. Understanding what this means will enable your company to get a handle on its GDPR requirements.
In fact, GDPR only applies to personal data.
But what is personal data exactly? The breadth of this category may surprise you!
In this article, we’ll help you to determine which of your data falls under GDPR regulations, hopefully stopping you from deleting useful information unnecessarily.
We will also explain the difference between personal data and sensitive personal data – a key distinction under GDPR, with implications for how it is collected, stored, and processed.
What is Personal Data Exactly?
Unfortunately, GDPR does not include a comprehensive list of what it considers personal data. The regulations state that personal data is - “Any information relating to an identifiable natural person”.
For the layperson, this means any information that can be used – alone or in combination with other information – to identify a living data subject. Personal data can be something obvious, like a name or username, or it can be something less apparent like CCTV footage.
This is because such data can be used to confirm your physical presence somewhere. It also includes phone location data, IP addresses, and cookie data, as well as email and home addresses.
However, it’s important to remember that these things by themselves do not necessarily constitute personal data, as defined by GDPR regulations – it all depends on the specific circumstance.
What does Circumstance have to do with it?
Take someone’s name, for instance.
You might assume that this would always be categorized as personal data under GDPR, but you’d be wrong.
Given that there are 48,532 John Smiths in the US, this name by itself cannot be used to identify a specific individual person (US Census Bureau).
By comparison, it’s probably safe to say that Elon Musk’s son is the only person on the planet called X Æ A-12 Musk (for the moment).
It therefore stands to reason that GDPR would consider his name to be personal data, since this information is enough by itself to zero in on his individual identity.
However, this changes if it is combined with other information on file. The email address firstname.lastname@example.org would be considered personal data since it indicates that there is only one John Smith working for this particular company.
Is Anything not Considered Personal Data?
In most cases, the data of dead people is not considered personal data under GDPR.
Recital 26 also states that anonymous data does not fall under GDPR regulations.
Anonymization is the process of scrubbing all personal identifiers from data. It should not be confused with pseudonymous or encrypted data, which can still be reprocessed to identify people.
However, GDPR does actively encourage the pseudonymization of personal data because it provides an extra level of security for data subjects.
This is because pseudonymized data can only be accessed by authorized employees – thereby reducing the privacy risks for people who have given their data to companies.
What About GDPR Sensitive Personal Data?
Sensitive personal data – or “special category data” in the official lingo of Article 9 – has been highlighted by GDPR as something that must be handled with extra security.
Here are all the sensitive personal data examples:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Criminal record
- Classified data
- Genetic data
- Financial data
- Biometric data
- Health data
- Sex life or sexual orientation
- Business or work information
This distinction between personal data and sensitive personal data is important.
Under GDPR, sensitive data can only be processed if it satisfies one or more of the following conditions:
- If the person has provided explicit consent or already made the data public
- If the data is required to protect the interests of data subjects that are physically unable to provide consent
- If the data is essential to meet employment, social security, or social protection requirements under the law
- If the data is needed by a not-for-profit organization to carry out legitimate activities
- If the data is needed for activities related to substantial public interest with regard to health or medicine
You’re Data Ready
Hopefully, you’ve now got a better idea of what personal and sensitive data you have on file.
This is the first step towards identifying and classifying data, and ensuring that the way you store personal data respects the rights of EU internet users under GDPR.
Improving the security of this sensitive information will also better protect you in the unfortunate event of a data breach – reducing the fines that your company would receive from data protection authorities.
You can discover more about GDPR and data privacy in our comprehensive guide.