GDPR and Personal Data: What is it?
If you are engaging in international business or just a savvy consumer, you may be familiar with the General Data Protection Regulation, or more commonly the GDPR. It is the most comprehensive data privacy and security legislation to date and has served to reform much of the data protection laws around the world. The GDPR also has some of the highest financial penalties of any data privacy and security in the world. If found liable for a breach of data protection, you could be subject to up to 4% of your company's yearly revenue or 20 million British pounds. I think it is easy to see that if you’re doing business with personal data in the UK you need to take GDPR seriously or it can seriously affect your bottom line. So what is personal data and do you need to worry about it?
Personal data is much broader than America’s Personally identifiable information (PII) and even broader than the PHI of HIPAA. There are a handful of government entities that aid in protected Personally Identifiable Information (PII). In the United Kingdom the Information Commissioner's Officer (ICO) regulates the GDPR and which has a far more extensive definition of personal data that encompasses PII and much more. Personal data specifically is defined in a variety of different ways depending on the legislation. Here is a broad list of data that is considered personal data by various data privacy laws:
GDPR Sensitive Personal data
- Your Name, which includes full names (first, middle, last name), maiden name, mother’s maiden name, alias
- Your Addresses: street address, email address
- Phone numbers: mobile, business, personal
- Asset information: internet protocol (IP), media access control (MAC)
- Any Personal identification number: social security number (SSN), passport number, driver’s license, state identification number, taxpayer identification number, patient identification number, financial account or credit/debit card
- Personal features: photographic images (that have distinguishing features e.g. show the face), x-rays, fingerprints, retina scan, voice signature
- Information identifying personally owned property: Vehicle Registration Number
Additional information that can be considered personal data
In addition to the examples listed above, some laws consider the combination of specific data a personal data if it can be used to identify an individual. This information that can be combined with others to form a person’s identity may also be regarded Personal Data:
- Date of birth
- Place of birth
- Race
- Religion
- Weight
- Activities
- Geographical location
- Employment information
- Medical information
- Education information
- Financial information
- Family members
Within GDPR Specifically, the definition of personal data is intentionally kept pretty vague. It is essentially any information that can be used to identify a specific person. While this list might seem a bit short, it can get a bit out of hand when considering online privacy. We have to consider IP addresses, email addresses, usernames, passwords.
Related: Why is Personal Data valuable?
GDPR Personal Data definition
According to Article 4 of the GDPR in the Definitions section, the GDPR defines personal data:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Here we see a handful of examples of categories of data but not concrete examples of what that data is. This gray area leaves much to be desired for the business owner attempting compliance. That being said, with so much on the line, if you are engaging with any sort of personal data from the UK it’s best to be safe than sorry. The ICO not only regulates much more information than the HHS in the United States, but it also performs considerably more audits per year than the HHS. Throughout the GDPR, they do list a handful of examples of personal data, but I would like to be this is one of those “including but not limited to” scenarios, so the below list is by no means exhaustive.
Additional Information that is considered personal data under GDPR:
- E-Commerce order ID
- IP address
- Cookie ID
- Location data
- Data held by a doctor that could uniquely identify an individual
- Other “online identifiers” such as tools, applications, or devices (like their computer/smartphone)
- “Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR
Similarly to many other aspects of the GDPR, it takes personal data one step further than other privacy and security regulations. This ambiguous definition may be a bit of a headache for business in terms of compliance, but is a step closer to putting the power back in the hands of the people. Ultimately, I believe we will see a shift to much more stringent data protection legislation in the United States and around the world. Not only will these laws mirror the GDPR, but I believe they will also increase the frequency with which institutions are audited thereby increasing accountability and ultimately an added level of pressure for organizations to become compliant.
Respect the data of individuals
It’s important for organizations to be held accountable to the ways they treat our data as it can have some real world implications in the event of a breach. Something as basic as a profile picture can be used to create a fake social media profile or full on identity theft online. This protects you from the nosey ex who might call your place of employment and inquire about your schedule or maybe the time of your reservation at that favorite restaurant of yours.
In contrast, there are also individuals interested in your data who have no idea who you are. The data brokerage market is a $200 billion industry and with every industry there are thieves and scammers. Savvy scammers are able to sell some of your personal data for upwards of $250. With such a high price on personal data, there is a long line of people looking to cash on weak points in data information systems within companies. That being said, it is crucial that our laws create conditions that mitigate loss on all fronts. All in all, strides toward putting more control back in the hands of the consumer are being made which is a win in a day and age where so much of our data seems to be out in the open.