In my last blog, I made a general intro of the EU General Data Protection Regulation (GDPR), the upcoming directive for data privacy due to come into effect on May 25th, 2018. GDPR grants broad rights to Data Subjects over the way their “Personal Data” is handled. It places obligations on “Data Controllers” and “Data Processors” to protect the Personal Data of “Data Subjects.”
In this blog, I will focus on the topic of “Personal Data.”
GDPR Chapter 1 Article 4 defines “Personal Data” as
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
- Data: stored information
- Personal: the information relates to an identified or identifiable “natural” person – meaning the identification of the person (an individual) is possible using the data
The GDPR definition of Personal Data is wider in scope than commonly used terms like PII (Personally Identifiable Information), PHI (Personal Health Information), and PCI (Payment Card Industry). In fact, Personal Data can relate to any mix of the following:
- Personal: name, gender, national ID, social security number, location, date of birth
- Physical, genetic, psychological, mental, cultural, social characteristics, race, ethnic, religious, political opinions, biometric, etc.
- Online computer identifiers
- Medical, financial, etc.
- Organizational: recruitment, salary, performance, benefits, etc.
It is worth noting that GDPR does not apply to deceased persons. However, their data “may” be deemed personal for their descendants if this data gives hereditary information. Also, the “identifiability” of a Data Subject is a moving target because it depends on his or her circumstances.
There are three important terms to learn about regarding Personal Data in GDPR:
Anonymize Personal Data
Data Controllers and Processors can protect Personal Data by anonymizing it. This is the permanent modification of Personal Data in such a manner (randomize or generalize) that it cannot be attributed back to the Data Subject. It is also an irreversible process, meaning that the data cannot be restored back to its original identifiable form. Anonymized data is not subject to GDPR restrictions.
Pseudonymize Personal Data
Data Controllers and Processors can pseudonymize personal data by processing it in such a manner that “it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.
- Carries a higher risk than anonymization and requires technical and procedural controls.
- Strikes a better balance between the interests of Data Subjects and those of Data Controllers/Processors.
- Pseudonymized data is subject to GDPR controls since Personal Data can be re-identified from it.
Minimize Personal Data
The GDPR states that Personal Data should be “adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.”
The word “necessary” is critical here. It means that the Data Controllers and Processors can only collect data that is necessary for the purpose of the transaction with the Data Subject. They can also retain this data for a strict minimum period.
In my coming blogs, I will cover the various rights of Data Subject vis-à-vis Personal Data, for example:
- Right to consent
- Right to be forgotten
- Right for rectification
- Right for data portability
- Right to object
- Right for limited usage of collected data
- Right to be notified of data breaches
Subscribe to the InfoGov Insights newsletter to stay up to date on things related to Information Governance.