GDPR Personal Data
Under the EU General Data Protection Regulation (GDPR), EU natural citizens now have extensive rights to control how their personal data is collected, maintained and/or used. The GDPR includes a comprehensive definition of what constitutes personal data and sets forth numerous rights of individuals to know how their personal data is being used and each data collector must obtain informed consent to collect, maintain or use the individual´s personal data prior to collection. The GDPR covers any "natural person" located in the EU if your business/organization is located in a non-EU country. This means non-EU citizens while they are located in the EU are protected under the GDPR.
Further, in order to comply with the GDPR, businesses and organizations will have to revise their data collection, storage and processing mechanisms to ensure personal data can be isolated, extracted and permanently deleted as required. Compliance reporting may also be required. Larger companies/organizations must appoint a data protection officer to assist with compliance and have automatic record-keeping requirements.
This post is the first in our GDPR Compliance Roadmap Series identifying the primary things businesses and marketers must do to become GDPR compliant.
Businesses Must Understand What GDPR Personal Data It Collects.
Businesses must first understand how personal data is defined under the GDPR and then identify how such data is collected through its website or app. This means understanding the entire scope of both direct and automatic data collection.
Under the old EU Directive on Data Protection (and the existing UK Data Protection Act), personal data is broadly defined as "any information relating to a living, identified or identifiable natural person. This could be directly (e.g. a person’s name) or indirectly (e.g. the owner of that business). So, for example, a user ID number is personal data because it can be matched to the name of a user on a database. The term ‘personal data’ still applies to data even if it requires the use of information elsewhere to identify an individual.
Under the prior EU Data Protection Directive, personal data includes identifiable information such as identification numbers and factors specific to a person’s physical, physiological, mental, economic, cultural or social identity. Clearly, full names are personal data, but not necessarily all email addresses: If you take an email address that states a full name, that clearly identifies that person. This is personal data. But, generic or anonymous email addresses (e.g. info@acmedesign.com) are not personal data. If an individual can be identified from an email address, it is personal data.
Basically, the GDPR keeps the same broad definition of personal data but clarifies that data includes online identifiers and location data. This means that IP addresses, mobile device IDs and unique identifiers are all personal data. Location data is not specifically defined but is associated with data that has any kind of geographic position attached to it. Online identifiers refer to digital information such as IP addresses, cookie strings or mobile device IDs.
Here is the actual definition of personal data under the GDPR:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
New additions to categories of sensitive data
Under Article 9, as a sub-category of personal data, sensitive data refers to a more specific type of personal data that should be treated with extra protection and care. The current definition of this includes information such as:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade-union membership
- Health information
- Sex life information (sexual orientation)
- Genetic data
- Biometric data
Under the GDPR, sensitive data is given more enhanced protection, with explicit consent required for its processing. The data subject must give express permission to use the data for a specific purpose that is disclosed to he or she before collecting such data.
Two new information types have also now been added to this classification: genetic data and biometric data. Genetic data specifically refers to gene sequences, which are used for medical and research purposed. Biometric data includes fingerprints, retinal and facial recognition. With the increasing use of fingerprint entry systems and facial recognition programs on mobile applications, the GDPR’s new definitions of personal data seeks to keep-up with current technology.
CAUTION: Under Article 9, in some member countries of the EU, it may be prohibited to process this type of data, even if the data subject gives prior consent.
What about IP addresses?
The most information that the average person can find out about an individual with only their IP address (and nothing else) is what region, city and town that person is in when on the Internet. They won't know anything about you (such as your name, etc.) or the computer you're using. And actually, what they'll find out isn't really about you, more than it is about your online connection. Of course, we don't know who is using a certain IP address-only, in general, where the computer or device may be located. With VPNs now frequently being used, this only further serves to render IP addresses as non-identifiable data under the GDPR.
Recital 26 of the GDPR says: “the principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes”.
As an example, selling patterns of mobile use data is in fact statistics and is entirely rendered anonymous where the data subject can’t be identified.
The GDPR and Pseudonymization
Recital 26 also states: “Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person”. In other words, pseudonymous data is regulated by the GDPR. There is no more potential identification of the data subject with anonymous information.
This means:
1. Pseudonymization is recommended where feasible in the GDPR. Along with encryption of personal data, pseudonymization is explicitly mentioned as one of the “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. In other words; it is recommended, where appropriate and feasible as Article 32(1,a) of the GDPR states. (Research has found that 54% of multinationals in the US plan to use such methods of de-identification to reduce GDPR risk exposure.)
2. Pseudonymization falls under the GDPR because of the potential of “unauthorised reversal of pseudonymisation.” The key role of the data subject’s perspective. Pseudonymization is the result of uncoupling certain aspects of data from a data subject (often as part of security precautions and analytics) whereby the data fields which are the most identifying and/or sensitive in a data record are replaced by pseudonyms. Yet, it can be reversed as well.
The GDPR defines pseudonymisation as follows in Article 4(5) as:the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
Now that you learned a little about GDPR personal data, stay tuned for our next post on obtaining required informed consent.