The GDPR only applies to 'personal data' - below we examine the definition of 'personal data' under the GDPR and consider the effects it has had on UK businesses.
The Definition Under the GDPR
“Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
What Does the GDPR Definition Really Mean?
If the data identifies one or more living people, then the GDPR will apply to that data.
The GDPR gives examples of the types of information that will be considered as ‘identifying’ a person and includes identifiers such as an IP address, location data, or a cookie or other online identifier. Importantly, you don’t need to know someone’s name for them to be directly identifiable!
What Are the grounds for Processing Personal Data Under the GDPR?
The GDPR requires that personal data is processed lawfully, fairly, in a transparent manner and in a manner which ensures the security of the data.
Processing is only lawful if at least one of the following applies;
- The individual has consented;
- The processing is necessary to perform a contract with the individual;
- The processing is necessary;
- to comply with a legal obligation of the data controller;
- to protect the vital interests of the individual;
- for the performance of a task carried out in the public interest;
- for the exercise of official authority vested in the controller;
- for the legitimate interests of the data controller or third party (except where it such interests are overridden by the data subject’s rights)
There are additional conditions for special categories of data which are discussed in detail within the Sensitive Personal Data section.
Personal data may be processed for new purposes if the new purposes are “compatible” with the original purpose taking into account any link between the original and new purpose, the context of the collection of the data including the relationship between the data subject and controller, the nature of the data, and the use of safeguards including encryption and pseudonymisation.
What Effect Has This Had on UK Businesses?
The GDPR does not regulate how UK businesses are entitled to process non-personal data, but the extent of personal data covered by the GDPR is now far wider than it was before. UK businesses should be applying the requirements of the GDPR to a greater range of data and processing activities than ever before.
All businesses should consider carefully the lawful basis on which they process data. It should be noted that where the lawful basis used is either "public interest" or "legitimate interests” then data subjects may have a right to object to such processing.
In summary, businesses need to be more rigorous in determining the basis for lawful processing and be aware of the new and more enforceable rights of data subjects under the GDPR to object to processing.
What Does My Business Need To Do?
If you haven’t already, you should undertake an audit of all data and evaluate whether you are processing that data in line with the requirements set out in the GDPR.