The General Data Protection Regulation (GDPR) is a law that is going to determine how the personal data of people in the European Union (EU) is to be managed. But “what is regarded by the GDPR as personal data?” It is vital for businesses to understand how GDPR define personal data to ensure that they can put the proper systems ready prior to May 25, 2018 when the GDPR comes into effect.
In GDPR’s Article 4, Definitions, personal data has been given a “very broad and intentionally vague” definition. Hence, businesses must be mindful when gathering or processing any information. Information which may be regarded as personal data pertains to an identified or identifiable natural person, usually labeled as ‘data subject.’ An identifiable natural individual is somebody who is directly or indirectly identified by referring to to an identifier for instance a name, location data, an identity number, an online identifier or by referring to to one or more elements particularly associated with the mental, physical, physiological, genetic, social, economic or cultural identity of that natural individual.
The GDPR doesn’t cover the personal data of an individual who’s now deceased. But EU member states can make regulations that cover the personal data of deceased individuals. Consideringg this, GDPR describes personal data as information utilized to distinguish a living individual. This definition is quite general. Looking at the various contexts and perspectives of personal data may then be required.
For instance, an organization is gathering the names of prospective clients. John Smith is one common name which may be collected and it is very likely to be mistaken when identifying the specific John Smith originally referred to. However if a name such as Gary Phry is obtained. It is quite possible that the right person will be identified simply by his name considering it is fairly a unique name. In this instance, John Smith is probably not deemed as personal data whereas Gary Phry is unquestionably viewed as personal data.
Pursuing this case in point further, for instance, the organization gathers more information on John Smith such as the city of residence, civil status or preferred brand of shoes. These extra details may be used to identify John Smith. Therefore John Smith’s name along with the other details are viewed as as personal data. The important thing to defining info as personal data is if it could identify the individual directly or indirectly. Bearing in mind this simple fact, online and electronic identifiers such as usernames and IP addresses can be viewed as personal data.
So, organizations have to audit their information and determine which are personal data and which aren’t. They also should get the data subject’s consent to keep on processing the information. If the organization does not carry out the last step and go on processing the gathered information, it is violating the GDPR and may have to deal with severe fines and sanctions.