istock-997693934

What is Classed as Personal Data?

The GDPR only applies to 'personal data' - below we examine the definition of 'personal data' under the GDPR and consider the effects it has had on UK businesses.

The Definition Under the GDPR

“Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

What Does the GDPR Definition Really Mean?

If the data identifies one or more living people, then the GDPR will apply to that data.

The GDPR gives examples of the types of information that will be considered as ‘identifying’ a person and includes identifiers such as an IP address, location data, or a cookie or other online identifier. Importantly, you don’t need to know someone’s name for them to be directly identifiable!

What Are the grounds for Processing Personal Data Under the GDPR?

The GDPR requires that personal data is processed lawfully, fairly, in a transparent manner and in a manner which ensures the security of the data.

Processing is only lawful if at least one of the following applies;

  • The individual has consented;
  • The processing is necessary to perform a contract with the individual;
  • The processing is necessary;
    • to comply with a legal obligation of the data controller;
    • to protect the vital interests of the individual;
    • for the performance of a task carried out in the public    interest;
    • for the exercise of official authority vested in the controller;
    • for the legitimate interests of the data controller or third party (except where it such interests are overridden by the data subject’s rights)

There are additional conditions for special categories of data which are discussed in detail within the Sensitive Personal Data section.

Personal data may be processed for new purposes if the new purposes are “compatible” with the original purpose taking into account any link between the original and new purpose, the context of the collection of the data including the relationship between the data subject and controller, the nature of the data, and the use of safeguards including encryption and pseudonymisation.

What Effect Has This Had on UK Businesses?

The GDPR does not regulate how UK businesses are entitled to process non-personal data, but the extent of personal data covered by the GDPR is now far wider than it was before. UK businesses should be applying the requirements of the GDPR to a greater range of data and processing activities than ever before.

All businesses should consider carefully the lawful basis on which they process data. It should be noted that where the lawful basis used is either "public interest" or "legitimate interests” then data subjects may have a right to object to such processing.

In summary, businesses need to be more rigorous in determining the basis for lawful processing and be aware of the new and more enforceable rights of data subjects under the GDPR to object to processing.

What Does My Business Need To Do?

If you haven’t already, you should undertake an audit of all data and evaluate whether you are processing that data in line with the requirements set out in the GDPR.

FAQs

No – the GDPR will only apply to the personal data of living individuals.

No – where the information identifies a company or business entity and nothing else, the GDPR will not apply. However, if that same data also identifies one or more individuals who own, work at or are otherwise related to that company or business entity, then yes, the GDPR will apply to that data.

The data subject is the living individual that is identified in, or identifiable from, the personal data.

That depends – if a specific person can be identified from that email address, then yes (eg. mary.jones@ukcompany.com). If it is a generic email address (eg. admin@ukcompany.com) then it is unlikely to be ‘personal data’.

Yes

Yes, to the extent that they process personal data. And there will be very few UK businesses that do not process any personal data at all.

The GDPR has replaced the previous approach in relation to ‘sensitive’ personal data with a definition titled ‘special category’ data. 

Get in touch

Talk to us about your legal challenges and discover how our expert, pragmatic legal advice and broad commercial acumen can help.