The DPA and the GDPR apply only to 'personal data' - below we examine the new definition of 'personal data' in the GDPR and consider what effects it will have on UK businesses.
The Definition under the DPA
“data which relates to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”
What does the DPA definition really mean?
If the data identifies one or more living people, then the DPA will apply to that data provided the tests 1 to 3 below are true.
If the data could be combined with other data in a person’s possession, or other data that is likely to come into that person’s possession, and the combined data could identify one or more living people, then the DPA will apply to both sets of data provided the tests X to X below are true.
In order for the DPA to apply, each of the following must also be true:
- The data must ‘relate to’ a person’s personal life, family life, business or profession,
- The data must be ‘obviously about’ that person, or ‘linked to’ that person, and
- The data must be used to influence a decision about that person, or be ‘biographical’ about that person, or concentrate on that person as its ‘central theme’, or have an actual or potential impact on that person’s personal life, family life, business or profession.
The Definition under the GDPR
“Any information relating to an identified or identifiable natural person”
“an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
What does the GDPR definition really mean?
If the data identifies one or more living people, then the GDPR will apply to that data.
The GDPR gives examples of the types of information that will be considered as ‘identifying’ a person.
What are the significant differences between the DPA and the GDPR?
The most obvious difference is the relative simplicity of the GDPR – the various tests that have been added onto the DPA definition by the UK courts over the years will cease to apply. Put simply, if data identifies a living person, that data will be governed by the GDPR.
As a result, the extent of data covered by the GDPR will be far wider than that covered by the DPA.
For example, where Mrs Jones complains to her local council about a business that has been fly-tipping, the file that is created from the investigation would not be ‘personal data’ under the DPA, but it is likely to be ‘personal data’ under the GDPR simply because it is likely to identify Mrs Jones as being the original complainant.
What effect will this have on UK businesses?
The GDPR will still not regulate how UK businesses are entitled to process non-personal data, but the extent of personal data covered by the GDPR will be far wider than it currently is under the DPA. UK businesses will have to apply the requirements of the GDPR to a greater range of data and processing activities than ever before.
What will my business need to do?
UK businesses should already be processing all personal data in accordance with the requirements of the DPA. In order to get ready for the GDPR, UK businesses should undertake an audit of all data (whether currently classed as ‘personal data’ under the DPA or not) and reconsider whether that data will be reclassified as ‘personal data’ under the wider GDPR definition.
If any data is likely to be reclassified as ‘personal data’ under the GDPR, then UK businesses should start to process that data in line with the requirements set out in the GDPR.
Will the GDPR apply to people who are no longer alive?
No – as with the DPA, the GDPR will only apply to the personal data of living individuals.
Will the GDPR apply to company information?
No – where the information identifies a company or business entity and nothing else, the GDPR will not apply. However, if that same data also identifies one or more individuals who own, work at or are otherwise related to that company or business entity, then yes, the GDPR will apply to that data.
Who or what is the ‘data subject’?
The data subject is the living individual that is identified in, or identifiable from, the personal data.
Will somebody’s email address be counted as ‘personal data’?
That depends – if a specific person can be identified from that email address, then yes (eg. firstname.lastname@example.org). If it is a generic email address (eg. email@example.com) that you happen to know is usually monitored by Mrs Jones, then it is unlikely to be ‘personal data’.
So any information that mentions somebody will be ‘personal data’?
Does this apply to all businesses in the UK?
Yes, to the extent that they process personal data. And there will be very few UK businesses that do not process any personal data at all.
What about ‘sensitive’ personal data?
The DPA recognises that some forms of personal data (called ‘sensitive’ personal data) require extra protection. The GDPR adopts a similar approach, but has a different definition of ‘sensitive’. We will cover this distinction in our briefing in a couple of weeks’ time.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- DPA means the Data Protection Act 1998, the statute that previously governed the processing of personal data in the UK.
- GDPR means the General Data Protection Regulation, the EU law that is now in place of the Data Protection Act 1998.
This briefing is based on the law as it stands in April 2017. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.