We all know by now that there are changes we need to make but there are key questions that still need to be answered by businesses and organisations in order that they really understand the new law. For example, under GDPR what is the definition of personal data? Is the definition wider under GDPR than the Data Protection Act we are used to?
Personal data definition under the Data Protection Act 1998
Under the act, data protection is defined under four categories of information;
- information processed or intended to be processed, wholly or partly by automatic means
- information processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’
- information that forms part of an ‘accessible record’ – that is, certain health records, educational records and certain local authority housing or social services records, regardless of whether the information is processed automatically or is held in a relevant filing system
- information held by a public authority, referred to as ‘category ‘e’ data’ as it falls within paragraph (e) of section 1(1) of the DPA.
Personal data definition under GDPR
The definition is deliberately a very broad one, possibly as a means of ‘catching all’. If a definition is too specific and defined, it can lead to major exclusions.
This data included such things as an expression of opinion of a data controller as to who the information was referring to. In fact, under this act, any data from which someone could be identified would be classed as ‘personal data’.
In other words, it is more than your surname, date of birth, address and so on that we would normally consider personal and unique to us.
For the purpose of GDPR, the definition of personal data reads as follows
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In some ways, it is the broadness of the definition that should concern businesses and organisation processing and managing data. The previous definition had not referred to location nor the physical genetic mental attributes and so on, of an individual.
Additional aspects that affect personal data processing under GDPR are many and varied. Here are just three;
- Processing, for example, refers to any process, automated or otherwise, that collects, records or organises data, including the retrieval of it from archives
- Profiling refers to any form of processing of data that mines it for certain information such as health, interests, reliability etc.
- Pseudonymisation means processing personal data in such a way that it can longer be attributed to a specific data subject or attributed to an identifiable person
Do you need help with GDPR? Do you really understand how it applies to your business or organisation?
How can we help you?
If you’re in need of assistance with any aspect of ISO or GDPR compliance, here at Synergos we’d be delighted to help. Whether you have questions about the path to compliance or are looking for advice and support to maintain compliance, call 01484 817 444 or Email firstname.lastname@example.org and we’ll be happy to talk it over with you.