Data protection is not fundamentally a data issue, but a human rights issue. As such, data protection legislation such as the General Data Protection Regulations (GDPR) always relate to processing personal information.
To understand your legal obligations, it is necessary to understand what is considered personal data. This is an area that can cause confusion. An individual’s name? That’s certainly personal information. But what about an email address? Or a photograph? Or an ID number that, when combined with other information you hold, could be used to identify someone?
When the EU’s General Data Protection Regulations (GDPR) came into effect on May 2018, it will bring with it a new definition of personal data.
For years, we have understood personal data in terms of the Data Protection Act 1998: that personal data is any data, whether by itself or when combined with any other data you possess or are likely to possess, by which a living individual is identifiable.
This includes any opinions or decisions pertaining to an individual, such as notes from performance review meetings, or recruitment notes on a candidate’s suitability for a role.
Under GDPR, the definition of personal data has been expanded and is considered “any information relating to an identified or identifiable natural person”.
This means that if any information you hold can identify an individual, either directly or indirectly, then it is considered personal. If an individual can be identified by reference to “an identifier such as a name, an identification number, location, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” then it is personal data.
This means that IP addresses, for example, count as personal data. Information that has been pseudonymised could also be personal data if it is possible to relate that information to an individual.
For example, it may be possible to identify an individual within a company with only their date of birth, gender, and salary information.
Significantly, information that includes anything which identifies a living individual either “in personal or family life, business or profession”.
For organisations, this includes work email addresses, company car details, and work phone numbers. An email address, whether it is firstname.lastname@example.org or ITmanager@company.co.uk or even shared email addresses can identify an individual, either on their own or by processing other information.
To meet your obligations, you will need to have a process in place to identify whether data is personal and commit to regular reviews.
Under GDPR you will have significantly more legal liability if you are responsible for a breach. If you are in doubt as to whether a piece of data is personal or not, it is always best to err on the side of caution and assume it is.
Visit the Information Commissioner’s website for further data protection and GDPR guidance for organisations.