GDPR: What is Personal Data?
Date: Dec 4, 2017
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission will strengthen and unify data protection for all individuals within the EU.
This new regulation comes into effect on the 25th May 2018.
The GDPR applies to all organisations that process the personal data of EU citizens, regardless of where the organisation is physically located, or where the data is processed, transmitted and stored.
The GDPR aims to protect personal data, including yours, that is shared with organisations, such as your employer, online shopping websites and social media. Personal data includes names, postal addresses, phone numbers, email addresses and account numbers. In fact, anything that can personally identify a person.
Processing, means obtaining, recording or holding the data or carrying out any actions or operations on the data. Data that is transferred outside of the EU is also protected.
The consequences for non-compliance will be fines up to €20m or 4% of global turnover, whichever is greater.
Article 4 of the GDPR states that personal data is any information related to a natural person or ‘data subject’, that can be used to directly or indirectly identify the person.
This ‘identifiable’ data includes name, address, phone number, age, gender, health, social, cultural, genetic, biometric, economic and financial information.
It can include photographs, if the photograph can be used to identify the person.
The easiest way to recognise personal data, is to remember the word ‘identifiable’.
Is the individual identifiable from the data? Could they identify themselves? Could their family, friends and colleagues identify them?
The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria.
This could include chronologically ordered sets of manual records containing personal data.
Every piece of personal data is covered by the GDPR.
Read more: https://gdpr-info.eu/art-4-gdpr/
Lawfulness of Processing Personal Data
Consent must be given to collect and use personal data, unless one of five other ways of processing data is met.
See the six lawful bases for the processing of personal data : https://gdpr-info.eu/art-6-gdpr/
For explicit consent, a simple ‘no response’ or inactivity, such as not ticking a box, is not sufficient. This means no more pre-ticked options.
Any data collected, and how it will be used must be clearly stated, plus it must be easy for people to withdraw consent and how to do this. Keep evidence of consent – who, when, how, and what you told people.
GDPR Gap Analysis
A GDPR Gap Analysis will identify what data you hold and how you use it.
Once you understand this a Privacy Information Management System (PIMS) and appropriate policies can be created to manage the data.
For information on the service we provide:
Email: [email protected] or go to: https://www.infosec-cloud.com/gdpr-gap-analysis/