This GDPR relevant data - what is it exactly?

I'll start by saying that I am not a GDPR expert at all, I'll confess to that upfront, but I am a EU citizen, for now at least and as such, my personal data rights are going to be covered by GDPR and whatever the UK will establish in parallel as a response to BREXIT.

All that said, I am intrigued as to what data exactly is covered under GDPR - it's a hot button topic that my various business feeds in social media are full of commentary on.

Try to do a Google search and you're likely to come up with a lot of opinion pieces, pseudo white papers and prophecies of corporate gloom and doom resulting from ICO penalties.

If you try to actually get to the heart of what's important, it seems a little harder. So I tried to hit the regulations themselves to get a little more insight. Dr. Detlev Gabel and Tim Hickman of White & Case LLP wrote an interesting piece on this which is published on their website entitled Key definitions.

Most importantly, they point out that this GDPR thing is an EU data protection law that only applies to personal data. Information that does not fall within the definition of "personal data" is not subject to EU data protection law. They give a very nice breakdown of the Directive and the Regulation.

Let's get personal

In a nutshell, "Personal data" is information related to an identified or identifiable natural person ("data subject") someone who can be identified, directly or indirectly. Especially by reference to an identification number or identifier or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. This includes location data, genetic data. There is also what they call out explicitly as 'sensitive personal data' but that's just a class of that personal data already identified.

Some goodness that Gabel and Hickman call out in particular, is the fact that for some companies inclusion of location data, online identifiers and genetic data within the definition of "personal data" may result in additional compliance obligations. Consider for example, online advertising businesses that deliver cookies to your computer in your browsing sessions. Those are effectively "online identifiers".

Further, under the GDPR companies are encouraged to depersonalize or pseudonymise data as a security measure to achieve compliance, or rather avoid non-compliance!

Pseudonymisation is a technical procedure by which you take the most identifying fields within a data record and replace them with one or more artificial identifiers, or pseudonyms. Single pseudonyms can be used for a collection of replaced fields or a specifically replaced field.

I am not going to go into the controlling versus processing discussion or debate because I am most focused on the data itself but does seem that depending on your role in the handling of GDPR relevant data, you need to take some care in how you store, handle and maintain that data. In both roles, you have a responsibility to the person whose data you are handling or storing.

Some attributes to these responsibilities include fair, lawful and transparent processing, for an appropriate purpose with data minimisation in mind as well accuracy, retention, security and accountability. Again, gabel and Hickman handle this neatly in their chapter 6.

What is an identifier?

So with all this, what then are the salient bits of data that might relate to me personally? Well of course the obvious ones are things like National Insurance number (NINo)but effectively this could be any record identifier that is used widely. That includes things like your email address, an OpenID , a cookie, a name, a biometric element used for identity verification like an iris or fingerprint, your location, your occupation, your gender, a physical factor like a tattoo perhaps, a health-related data element like a heart condition, indeed anything...

Some of these things though, have a contextual element. So consider that you have a electronic spreadsheet of data. This sheet contains just forenames, nothing else. If it doesn't tie to something bigger or cannot be related to someone specifically, then the list does not contain personal data but only first names. A list of the most common first names off the national voter's roll for example, is not personal data.

Is having a name enough to say that you have personal data?

If you however add more context, such as the name and surname, you're getting closer but you're still not quite there. Consider Henry Windsor. It's maybe doesn't seem a very common name, but you'd be surprised how many there are and have been. So given the ambiguity of singling out a specific Henry just with the forename and last name in the list, it is probably safe to assume you still don't have anything personal yet. Add a date of birth, and suddenly the forename, the lastname and the date of birth all are personal.

The last thing I will comment on, is the identifier. I already called out that the NINo is an identifier but the GDPR doesn't actually spell out what an identifier is and doesn't give a full list of all possible identifiers.

Philip Brining wrote a piece for dataprotectionpeople.com in which he said that if he had a photograph of a random person and he doesn't know who the photo is of and therefore he is unable to identify them from the data, then the photo in and of itself is not personal data. The concept of identifiability makes it very clear.

The regulation does give a number of types and broader categories of identifiers and these are data objects that enable unambiguous identification. I-Scoop provide a great article that describes the data subject, personal data, identifiers and pseudonymous information.

Some examples they cite are devices with unique persistent IDs (MAC and IMEI numbers), applications with unique ID's (eg. registration key), IP addresses, cookies and RFID tags. These kinds of things leave breadcrumb trails that can be used to track and target you as an individual and are particularly significant in this era of all-things-connected. PIWIK do the same, calling some other good ones like driver's license number and credit card numbers but they also explain the difference between Personally Identifiable Information (PII) in the the US and Personal Data in the European context. You will also find a raft of additional examples on Wikipedia including Vehicle registration plate, Login name, screen name, nickname, or handle.

Where will this all end ?

As the sources of data that companies have, grow and expand in breadth, it becomes increasingly difficult to anonymise the data and so in the end it will come down to really some basic elements, do you know what data you have, should you have that data, is it up to date and are you using for the purpose for which it was originally furnished to you? Personal data is an extremely useful tool for the criminal elements of society to exploit for financial gain so it needs to be protected.

Finally, as Brining says "Why not err on the side of caution and determine as a matter of policy to transfer all data securely" - I'll add, make sure you store it securely, make sure you know what data it is that you have, how current it is and make sure that you should have it in the first place.

Technology can help in peeking under the covers to see what you have and how it looks - what are you using?

Additional Reading

• Overview of the General Data Protection Regulation (GDPR) - from the ICO
• Determining what is personal data - from the ICO
• What is Personal Data? - from the Data Protection Commissioner
• Controversial Topics