The evaluation of personal data is not easy under the current Data Protection Directive. It does not look it will be under the GDPR either, especially since the definition has been expanded and amended. Let’s see what’s new in the GDPR.
Article 4(1) of the GDPR states that personal data is ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’
It can be seen from the text that ‘personal’ data is data from which an individual could be identified with reasonable accuracy. Note that even if you are unable to identify a person from such data, if it can be reasonably concluded that someone could, then it should be classified as personal. Perhaps you would not be able to identify someone from a photograph and an address, but someone else (like their neighbour) would. You will have to perform these ‘tests’ regularly (but more on that below).
The GDPR and the DPD also have the concept of sensitive personal data, i.e. ‘special categories of personal data’. These are afforded special protections and measures on top of those required by personal data, but you can identify them in the same way as personal data and categorise later. Sensitive personal data, as listed in the GDPR, comprises racial makeup, political and union membership, health condition, sexual orientation, criminal files, biometric and genetic data.
Anonymous Data & Pseudonymisation
Anonymous information is not considered personal data. Anonymization of personal data can help you mitigate the risks of handling personal data. This is different from pseudonymisation: such data is considered personal since someone could still infer the identity of a person if enough data is provided. Data is considered anonymized only if it is reasonably likely that no one will be able to link those pieces of data with others and identify the individual in this manner. Aggregated statistical data (such as population censuses) are an example of anonymization.
Consider location tracking, for example. Data on your movement, such as when you go for a jog, can be used to reasonably determine who you are and where you go. However, when aggregated with hundreds of other individuals and stripped of unique identifiers (i.e. your route cannot be reconstructed and it is used only for public places), it can be considered either anonymised or pseudonymised, depending on the degree of intervention.
Therefore, the more data you have on a single person, the higher the risk. If you obtained the picture from the previous paragraph and linked it with the data on the person (their occupation, interests etc.) then the data is certainly personal. Even if by itself a piece of data is not considered personal, if linked with additional data, it can become such.
Pseudonymisation, while not completely eliminating the risk of identification, can be very effective and the GDPR introduces certain provisions that relax the requirements for data handling breach notifying if the data had been previously pseudonymised. Profiling requirements are also relaxed.
It is expected that the national supervisory authorities will provide guidance regarding the scope of data that is considered personal, as the definitions are very wide on purpose and such guidance has been foreseen by the lawmakers. Still, we can give you some tips for determining whether your data is personal or not.
Scope – “Any Information”
The GDPR (and the DPD) is notoriously wide in this regard. It includes literally any information – objective and subjective. Objective information can be one’s date of birth, their health status, salary, or biometric data, but subjective information is also protected, such as opinions or gossip, even.
Personal information need not be proven or true to be such! Also, this information can be direct or indirect. A direct piece of information would be someone’s name, while an indirect one would comprise a description of a said person. Format does not matter in this context. Any form of data stored paper, electronic, spoken, biometric or any other recoverable form can be personal.
Compared with the DPD, the GDPR explicitly mentions identification numbers, location data, and online identifiers as being personal data. The ambiguity has been resolved: cookies, IPs, advertising IDs, RFID tags, device IDs, apps and similar are all considered personal data and warrant the corresponding level of protection.
To be personal, information must be such that someone could reasonably be singled out from the group just by applying such information. Just a name, for example, might not be enough, especially if it is very common. John Brown might not be enough, but ‘John Brown, a 36-year old banker from London, living in Hammersmith’ certainly could be.
All those pieces of data (‘a banker’, ‘lives in Hammersmith’, ’36-year old’) do not constitute personal data in and of themselves, as there are plenty bankers and 36 year olds on the planet, and one cannot reliably identify someone from that data alone. But by connecting those pieces of data, individuals can be singled out with relative certainty, even without knowing their name. The British regulator ICO lists an example of a water bill addressed to ‘the occupier’ in a building, without listing their name. Is the data on water consumption personal? Yes, since that ‘occupier’ can be distinguished from other people and, of course, their name can easily be found out.
Therefore, as outlined in the sections above, you must pay attention to the linkage of data. It might not be obvious that the individual can be identified, but Recital 26 of the GDPR deals with this issue, by recommending that ‘all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly’.
Even if a person is not identified, the data can be considered personal if it is reasonable that they can be identified (if they are identifiable).
Furthermore, technical measures that can be used to identify a person also come into play here. This point is also covered by the GDPR in the same Recital. You should take into account, while evaluating identifiability, the ‘costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.’
Take into account for how long you plan to store the data, as technology can advance rapidly and information that you considered safe could be used to identify someone in the future.
The GDPR is not as strict here as you might think. Just because there is a remote possibility that someone could in theory reconstruct the data and identify someone does not mean this data should be considered personal, but bear in mind that this also covers determined individuals, like journalists and private investigators who could actively seek to identify the individual, not just regular people without much interest in data.
Pertinence – “Relating to”
If the data relates to an identifiable living person, it is considered personal. There are plenty of ways information can relate to an individual, and most are very obvious.
For example, a person’s work history, medical files or criminal records are obviously about that person. However, bank statements or telephone bills listing call durations and numbers dialled also fall under this category.
As explored in previous sections, data by itself may not be personal but it can become such if linked with other pieces of data. A price of a house is not personal data: it is generally publicly available and determined on the market. But, when linked to its owner and used for taxation purposes, then it is indisputably personal.
Purpose matters. As soon as a piece of non-personal data is used to learn something about an individual or decide something about them, this information is personal. A picture of a crowd in a busy street by an amateur photograph does not contain personal information; but if taken by a detective or a police officer, it could, since the purpose is usually to identify the individual.
Furthermore, if the information would have any biographical significance for an individual, it is personal. For example, being listed as a participant in a marathon is personal data for that individual since it identifies their location at a particular time. If the individual is a major focus of a piece of information, it is very likely personal.
In some cases, data about objects could be personal as well. If the number of produced units during the day is read from the factory machine is used to evaluate the effectiveness of a worker, that data is personal; even if the data were collected for statistical purposes, it could still be used to evaluate the worker’s effectiveness.
A litmus test to help you identify whether the data relates to a person could consist of the following questions, according to the ICO:
Can I learn, record or decide something about an identifiable individual as a result or an unintended consequence of processing?
Could this processing affect an identifiable individual?
If yes, then the data is personal.
‘Persons’ and Personal Data
Under the DPD and the GDPR, these provisions extend only to natural persons (flesh-and-bone individuals).
Legal persons are not afforded the level of protection as described above, but Member States are allowed to extend certain provisions to legal persons as well.
Dead persons are generally not considered natural persons in legal terms, so the GDPR technically does not protect their data. However, it can be difficult to ascertain whether a person has indeed passed away, so our suggestion is to treat it as personal data without creating a separate distinction. This is because data of a dead person could inadvertently relate to a living person (The Working Party Article 29 gives an example of haemophilia – if a (deceased) father suffered from it, his living son could as well, which means the data is personal (and sensitive, in addition)).
Additionally, medical staff must protect the confidentiality of the patient even after their death, though this is regulated by national law. Again, Member States an extend the provisions to dead persons as well.
Looking at a Wider Picture
Actually, not much has changed with the introduction of the GDPR. The GDPR does not ask the companies to do much more than they otherwise would. It only mandates the use of good data handling practices, which should not surprise the companies that already implement such sound policies.
However, companies without such policies, and those who take a carefree approach towards personal data, have much to lose. They should act fast so as not to endanger the data of others and, in some cases, risk paying huge but very avoidable fines. The fines in the GDPR will force the companies to improve their data handling policies. Unfortunately, voluntary adoption of such policies has been very sporadic.
The law is very protective of personal information of private individuals in the EU, but this should be nothing new to your business.
You will be hard-hit if your company’s core business consists of processing large amounts of online data, such as advertising, since cookies and advertising identifiers will have to be treated as personal data. On the other hand, by employing pseudonymisation you can mitigate the prohibitions to data profiling to some extent. In any case, even non-EU companies will have to be bound by these provisions as long as they deal with EU users, so there will be no unequal footing here.
In any case, you should revisit your data protection guidelines to better prepare for the GDPR and ensure there are no weak points. The fines can be enormous and it always pays to adopt good data handling practices.