GDPR Impact on the Definition of Personal Data

You may be aware that on 25 May 2018 the General Data Protection Regulation (GDPR) becomes law. GDPR applies to any business or organisation that processes the data of people who live within the EU, no matter where the business or organisation itself is located.

GDPR goes a lot further than the directive which has been in place since 1995. It is intended to bring consistency to the way data protection is dealt with across the EU, and to ensure that the rights and freedoms of individuals are protected in this digital age.

What is Personal Data?

Traditionally, personal data has been thought of as information such as a name and address. But, the definition of personal data under the GDPR is a lot more wide ranging than that. Basically, data is defined as personal if an individual could reasonably be identified from it. This can apply to one piece of data, or different pieces of data that have been grouped together.

A good example of the type of information concerned would be an IP address, which could be used, together with browsing information, to identify an individual. 

What is Happening about Consent?

As we mentioned, one of the main intentions of GDPR is to protect the rights of individuals. This is why there are strict stipulations when it comes to using consent as the reason for processing personal data. Of course, businesses and organisations do not necessarily need to have consent to process personal data, as there may be another legally valid reason for doing so. But, if consent is being used as the justification for they processing, they need to ensure that:

  • The individual knows what they are consenting to, and consent is explicit.
  • Consent is kept separate to other terms and conditions.
  • Personal data is only used in relation to the purpose for which consent is held.
  • An action needs to be taken to provide consent. This means that businesses and organisations can no longer legitimately use pre-checked tick boxes.

It’s important that all businesses and organisations recognise personal data, and ensure that consent is in place when necessary. Failure in these areas could lead to non-compliance with GDPR, and the imposition of fines or other sanctions.