There has been some confusion regarding what is defined as personal data, under the General Data Protection Regulation (GDPR). This is despite the fact that the term “personal data” is defined in Article 4 of the law:
‘personal data’ means any information relating to an identified or identifiable natural person
The confusion seems to arise as the definition may be dependent on the particular circumstances at hand and whether the data point under discussion could be used to identify an individual.
The GDPR includes a list of elements which may be classified as personal data. This list includes, names, addresses, IP addresses, and biometric data, depending on the context.
Looking at what is considered personal data
Knowing that personal data is anything that can enable an individual to be identified, we may need to look at this in different contexts.
For instance, a man named John Smith cannot reasonably be identified by his name alone, as this is an ubiquitous name. However, when the name is supported by additional pieces of information, then the “right” John Smith may reasonably be identified or identifiable. The name “John Smith”, even on its own, is therefore personal data and must be protected.
The GDPR goes so far as to state that “personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.” Even data that has been subject to certain security measures, in this case pseudonymisation, can still be considered personal data.
If John Smith has a username on an online forum where additional information such as his IP or email address has not been recorded and there is no additional information that could identify him as the owner of the account, then this may not be considered personal data.
Given the potentially exhaustive research that may be required to ensure that supporting information could not lead to the John Smith being identified from his username, however, it would be safer and more efficient to assume that the username could be used with other information to identify him and the username should advisedly be treated as personal information.
What businesses need to do
Given the changes to the definition of personal data under GDPR, its good practice for businesses to carry out an audit of the data they have in their systems to see if it constitutes personal data and to determine whether they have gained sufficient consent to store and use it. Failure to do so could result in them receiving a stiff penalty, such as a large fine.
The audit should also allow them to link information for the same data subjects together somehow to allow for more efficient responses to requests for copies of data and deletion requests.
Importantly, the audit can help to identify security and procedural weaknesses that must be addressed and mitigated to meet GDPR standards. If risks cannot be sufficiently reduced, supervisory authorities should be contacted for advice before processing is attempted.