What Is Personal Data?

Everything

Well, more or less. A touch flippant perhaps, probably not what you expected, and I’m pretty sure it wasn’t what you hoped for. There it is though, I respect you all too much to sugar coat it, I expect a fair few would call me out on it if I tried to. There’s a reason why the General Data Protection Regulation (GDPR) has been called “The Law of Everything ”!

I’d rather tell it to you straight, the definition of Personal Data is unworkably broad and deep. We’re not going to change that anytime soon though, so on that basis I say let’s drag this bogeyman into the light, examine it, and find some ways to live with it.

Fair warning, these articles may make you feel worse before you feel better! Stick with it though.

Breach Reporting Laws An Unfortunate Misdirect

Breach reporting laws have been around for a long time, people are familiar with them, and they contain definitions of Personal Data. That familiarity allows System 1 thinking to try to take over, but we need to take a step back and be in System 2 again. There are things we need to surface and understand here, it’s not the right time for the quick route.

The term ‘Personal Data’ may appear in breach reporting laws, but they define it very differently. In fact, breach reporting laws take a completely different approach not only to the definition but to how the law works. In general, the state-by-state breach reporting laws take a prescriptive ‘rules based’ approach while privacy laws take a ‘principles based’ approach.?They aren’t even close to being the same thing.

For now, let’s just ignore those breach reporting laws. Whenever I say ‘Personal Data’ I mean the much broader definition used in privacy laws.

The Privacy Law Definition

In contrast to the ‘rules based’ approach of data breach reporting laws, privacy laws take a ‘principles based’ approach. You’ll immediately see the difference in the more open language and ideas used in the legal definitions below.

The GDPR defines personal data as:

any information relating to an identified or identifiable natural person (‘data subject ’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier…

The California Consumer Protection Act (CCPA) defines personal data as:

information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes…

Gone is any idea of prescriptive lists of fields and combinations. These definitions are wide open and require the reader to understand, interpret, and apply them. It’s more of an instruction manual on how to identify Personal Data than it is an exhaustive, granular, definition. That isn’t healthy for us.

Working With That Loose Definition

Humans love to reduce and simplify things (System 1 thinking ), we also generally like to feel safe and confident, we’re not good at uncertainty. In fact, scientists have noted that uncertainty activates the same part of the brain as physical pain (here ). Which, I guess, explains why we don’t like it. This fuzzy definition of Personal Data leaves our minds in a tight spot, there are astronomical fines hanging over our heads if we apply the rules too leniently, but if we swing the other way and interpret the law too strictly, we’ll cripple the business.

It can leave you feeling vulnerable, anxious, and frustrated. At least that’s how it regularly makes me feel, and I’ve been doing this a while.

To minimise the discomfort, you’ll be tempted to start placing limits on the definition that aren’t there in the text. You might even catch yourself using terms like “commonsense interpretation” to justify it. I know it helps but try to be strict with yourself about not doing that.

To avoid those System 1 temptations we need to shine that light on the more troubling terms: identifies vs identifiable, direct vs indirect, “relates to”, and whatever the heck “reasonably” is meant to mean. We need to get comfortable with them because we’ll be spending a lot of time together.

We’ll illuminate those dark corners in the next instalment. I know you’re itching to get to practical applications, so I’ll try my best to start and finish it in one post.?I stand by what I said early on, we need to be on the same page and standing on a solid foundation before we rush in. Just like stretching before a game of soccer, it’s boring sure, but if you pull a muscle then you’ll wish you’d taken the time. We’re warming up.?

And Finally (For This Episode)

From here on in I can’t recommend enough finding a privacy mentor. You need someone to listen as you vent steam about it being unworkable, that everything is Personal Data, and how the law creates circular arguments with no resolution. Ideally you should find someone who’ll smile wryly, recount embarrassing tales of when they felt the same, and then give you the practical advice they wished they’d received. That’s why I’m writing these articles, for anyone who doesn’t have a mentor to hand, maybe I can do a little something to help.

If you can weather the storm, with a little help from your friends, this is where the fun starts. You’ll start to see the moving parts of the puzzle. Keep going and you’ll learn to influence the outcomes rather than only watching.

That’s what keeps me smiling, it’s what keeps me coming back after I’ve finished yelling at the sky, it’s what I’m hooked on – the never-ending puzzle of it. I doubt I’ll ever consider myself a Master of it, but I’ll enjoy many years yet of trying to get there, I hope you do too.