How Does the GDPR Define Personal Data? How Should It Be Handled?
Jeffrey Edwards
|Cyber Risks & Threats | March 29, 2023
To ensure compliance with the GDPR, it’s essential to understand what constitutes Personal Data and the requirements regarding processing and safeguarding this information.
What is Considered Personal Data under the GDPR?
Personal Data, a legal term defined by the GDPR, is “…any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
Personal data includes:
- Name and surname
- Phone number
- Home address
- Date of birth
- Credit card or bank account number
- Identification card number
- Medical data
- Photograph where an individual is identifiable
- Internet Protocol (IP) address
- Unique cookie identifiers
- Tracking location data
- Individual targeted advertising data
Although one piece of personal information alone may not be enough to identify an individual, when multiple pieces are collected together it could, thus qualifying this information as Personal Data.
What are the GDPR’s requirements for the processing of Personal Data?
Personal Data use is regulated in all phases under the GDPR, from collecting and processing to storing and destroying. The GDPR outlines a cautious and meticulous approach to Personal Data processing, beginning with collecting the least amount of Personal Data possible, while keeping that data for the least amount of time, and all the while keeping it secure.
Struggling with consent management and compliance? CHEQ can help. Schedule a demo today.
Compliance to the GDPR necessitates that organizations:
- Be transparent when collecting and processing the Personal Data of customers, consumers, and employees, and keep records of organizational policies and actions relating to the data’s use.
- Limit what Personal Data, especially sensitive data, is processed to only what is necessary for business processes.
- Retain Personal Data only as long as it’s needed for its original purpose.
- Process and store the data in a secure way, so as to protect against unlawful loss, destruction, damage, or theft. For example, use techniques such as anonymization, pseudonymization, and/or encryption.
- Create plans for possible data breaches, and train employees on proper procedures related to processing Personal Data.
What does the GDPR define as “sensitive data?”
The GDPR describes sensitive data as personal information that must be protected and treated with high security. Sensitive data, if revealed, could leave a person vulnerable to crime. This data will generally fall into one of these categories:
- Race or Ethnicity
- Sexual Orientation
- Political, philosophical, or religious beliefs
- Genetic information
- Biometric information (biological measurements, including distinguishing physical characteristics, that can be used to identify a person)
- Trade union membership
There are strict requirements to process this sensitive personal data under the GDPR, and organizations must document a specific legal purpose for its use or obtain consent from data subjects. Allowable purposes for the use of sensitive data are:
- Having consent from, or a legal contract with, an individual
- A legal obligation requiring the processing of the data
- Necessary use relating to public interest, such as information on governmental authorities, schools, or law enforcement departments
- Necessary use relating to public health
- Necessary use relating to scientific or historical research and statistics
What is non-personal data?
Non-personal data under the GDPR is information that is non-sensitive in nature, or data that has been anonymized and cannot be de-anonymized. Any encrypted data that could be reversed and used to identify a person, however, is still personal data.
Non-personal data under the GDPR also includes:
- Information about a deceased person
- Information about public authorities and companies
- An age range
- Aggregate demographic, economic, and social data
Is Personal Data the same as Personally Identifiable Information (PII)?
Personal Data, as we have defined it under the GDPR, is different than a similar term: Personally Identifiable Information (PII). PII is a term commonly used in countries outside of the EU, particularly the US, and does not reference specific legal regulations. Although there is no one established definition, PII is most commonly defined as data that is used to directly identify a specific person. Categories of PII include:
- Name and surname
- Phone number
- Home address
- Date of birth
- Social Security number
- Driver’s license or passport number
- Credit card or bank account number
- Medical data
Everything that would be categorized as PII would be considered Personal Data under the GDPR. However, since Personal Data encompasses a broader range of information, including data that may indirectly identify an individual, not all Personal Data would be considered PII. Laws regarding PII are under the authority of individual governments and organizations and vary in standards of protection as well as individual rights to control of their data.
Enable GDPR Compliance with CHEQ
A truly compliant Consent Management solution should work autonomously, with no dependencies on other systems, to enforce the privacy choices of users.
CHEQ Privacy and Compliance Enforcement takes control of a website, app, or digital asset and fundamentally changes how the page is rendered based on the user’s preferences—so you don’t have to rely on third-party analytics platforms to uphold your GDPR compliance.
With CHEQ, you can set up customizable banners and give your visitors a clear-cut choice on if and how their data is collected and used. You can quickly add CHEQ to every iteration of your website with a simple line of code, audit your website to understand which cookies are in use and where, and identify potential security or compliance issues. Want to know more? Schedule a demo today.