The GDPR only applies to 'personal data' - below we examine the definition of 'personal data' under the GDPR and consider the effects it has had on UK businesses.
The Definition under the GDPR
“Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
What does the GDPR definition really mean?
If the data identifies one or more living people, then the GDPR will apply to that data.
The GDPR gives examples of the types of information that will be considered as ‘identifying’ a person and includes identifiers such as an IP address, location data, or a cookie or other online identifier. Importantly, you don’t need to know someone’s name for them to be directly identifiable!
What are the grounds for processing personal data under the GDPR?
The GDPR requires that personal data is processed lawfully, fairly, in a transparent manner and in a manner which ensures the security of the data.
Processing is only lawful if at least one of the following applies;
- The individual has consented;
- The processing is necessary to perform a contract with the individual;
- The processing is necessary;
o to comply with a legal obligation of the data controller;
o to protect the vital interests of the individual;
o for the performance of a task carried out in the public interest;
o for the exercise of official authority vested in the controller;
o for the legitimate interests of the data controller or third party (except where it such interests are overridden by the data subject’s rights)
There are additional conditions for special categories of data which are discussed in detail in a separate briefing which you can review here.
Personal data may be processed for new purposes if the new purposes are “compatible” with the original purpose taking into account any link between the original and new purpose, the context of the collection of the data including the relationship between the data subject and controller, the nature of the data, and the use of safeguards including encryption and pseudonymisation.
What effect has this had on UK businesses?
The GDPR does not regulate how UK businesses are entitled to process non-personal data, but the extent of personal data covered by the GDPR is now far wider than it was before. UK businesses should be applying the requirements of the GDPR to a greater range of data and processing activities than ever before.
All businesses should consider carefully the lawful basis on which they process data. It should be noted that where the lawful basis used is either "public interest" or "legitimate interests” then data subjects may have a right to object to such processing.
In summary, businesses need to be more rigorous in determining the basis for lawful processing and be aware of the new and more enforceable rights of data subjects under the GDPR to object to processing.
What does my business need to do?
If you haven’t already, you should undertake an audit of all data and evaluate whether you are processing that data in line with the requirements set out in the GDPR.
Will the GDPR apply to people who are no longer alive?
No – the GDPR will only apply to the personal data of living individuals.
Will the GDPR apply to company information?
No – where the information identifies a company or business entity and nothing else, the GDPR will not apply. However, if that same data also identifies one or more individuals who own, work at or are otherwise related to that company or business entity, then yes, the GDPR will apply to that data.
Who or what is the ‘data subject’?
The data subject is the living individual that is identified in, or identifiable from, the personal data.
Will somebody’s email address be counted as ‘personal data’?
That depends – if a specific person can be identified from that email address, then yes (eg. firstname.lastname@example.org). If it is a generic email address (eg. email@example.com) then it is unlikely to be ‘personal data’.
So any information that mentions somebody will be ‘personal data’?
Does this apply to all businesses in the UK?
Yes, to the extent that they process personal data. And there will be very few UK businesses that do not process any personal data at all.
What about ‘sensitive’ personal data?
The GDPR has replaced the previous approach in relation to ‘sensitive’ personal data with a definition titled ‘special category’ data. For further information, you should read our separate briefing on this here
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- GDPR means the General Data Protection Regulation, the EU law that replaced the Data Protection Act 1998.
This briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.