GDPR: Identifying personal data & sensitive data

Given that more than a year has passed since the European Union’s General Data Protection Regulation (GDPR) was implemented, on the 25th May 2018 to be precise, most businesses are aware that they have a legal obligation to protect any ‘personal data’ which they process.

What exactly is the correct definition of “personal data” for the purposes of the GDPR however? It is also worth noting that GDPR mentions a sub-category of “sensitive personal data” that attracts particular protection. It is therefore necessary to know your personal data from your sensitive personal data.

Personal data

Article 4(1) of the GDPR defines personal data in the following way;

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Simply put, therefore, personal data is any form of information that could be used to identify a living person.

For example, an email address which includes the subject’s name and place of employment, e.g. “johndoe@bigcompany.com” is considered to be personal data under the GDPR. The email address indicates that there is only one John Doe employed at Big Company, identifying the person in question.

The reality, unfortunately, is usually not so clear cut. More often than not, people become identifiable not through something so simple as an email address, but via multiple pieces of information when viewed together.

For example, it might seem evident that an individual’s name should automatically be thought of as personal data, but as the British Information Commissioner’s Office (ICO) has described, this is not always the case:

By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.

Conversely, the ICO also indicated that names are not, in fact, necessarily needed to identify a person:

Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.

Businesses and public bodies often collect and hold numerous pieces of information relating to their data subjects. The information gathered may be considered personal data under GDPR if it can be compiled in such a way as to identify a probable data subject.

In the right context, any of the following types of information could be correctly regarded as personal data:

  • Biographical information or current details; dates of birth, Social Security or National Insurance numbers, telephone numbers, email addresses.
  • Physical appearance & behaviour; eye colour, height, weight & character traits.
  • Employment data & education information; salary, tax details and student identification numbers.
  • Private & subjective data; religious beliefs, political opinion, geo-tracking data.
  • Health, illness & genetics; medical history, genetic data & information relating to sick leave.

Sensitive Personal Data

Under GDPR, sensitive personal data is a particular set of “special categories” that needs to be treated with additional security. Such information might pertain to the following:

  • Race or ethnicity;
  • Political views;
  • Religion or philosophy;
  • Membership of a Trade union;
  • Genetic data;
  • Biometric data (in circumstances where it is processed to uniquely identify an individual).

It is advisable to store sensitive personal data separately from other personal data, e.g. in a locked drawer or cabinet. Like all forms of personal data, when stored on a laptop or other personal device, the file should be en encrypted and/or pseudonymised.

Consent

One of the most common GDPR misconceptions is that every organisation needs to obtain consent in order to process personal data.

In reality, consent is one of six recognised legitimate grounds for the processing of personal data. The stringent rules relating to lawful consent requests mean it is in fact, more often than not, the least preferable option for most organisations.

When relying on consent as processing grounds, businesses and public bodies must be aware that they require explicit consent in order to process sensitive personal data.

It is important, therefore that any company or body which processes personal data is fully aware of its obligations under GDPR. Chances are that those institutions which have not diligently studied and implemented compliance procedures will run into difficulties.

This can result in long-term negative consequences. Businesses may face enforcement action, fines, reputational damage and loss of trade.

GDPR Training Course – compliancejunction.com
This article provides an outline for a GDPR training course. It is an obligation for all companies affected by GDPR to have adequate policies in place to ensure that they are compliant. That, said for full compliance, employees should also be properly trained in GDPR practices. Human error is not considered an adequate excuse for non-compliance and the negligent party can still face penalties.

About Eoin Campbell 11 Articles
Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified solicitor. Eoin has moved from practicing law to teaching. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data protection.