Personal Data in the GDPR
From Article 4 of the GDPR:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Put simply, a Natural Person is any living individual. The GDPR does not concern itself with the privacy of the deceased.
Personal data then is anything that can identify a Natural Person. Where the GDPR is expanding its reach here is with the inclusion of things like ‘identification numbers’, ‘location data’ and, with broad reaching power, ‘online identifiers’. This means your IP address, mobile browsing data and even the cookies that are stored on your computer could all be considered personal data.
‘Could’ is relevant, because a name on its own is often not personal data – as counter intuitive as that sounds. The important thing here is whether an individual can be identified. Very few people in this world have unique names, so identifying an individual based on name alone should in almost all cases be impossible. Combine an address, or a bank, recent browsing habits or an IP address however, and you’e got yourself personal data.
Conversely, you don’t need to have a name to have personal data. It is very possible to identify an individual without their name, if you have sufficient other data to make the deduction.
So simply emitting names from a database would not guarantee compliance under the GDPR. The GDPR does have scope for ‘pseudonymous’ data, but this requires more than simply removing names.
Special Categories of Personal Data
From Article 9 of the GDPR:
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade-union membership, and the processing of genetic data,
biometric data for the purpose of uniquely identifying a natural person, data concerning
health or data concerning a natural person’s sex life or sexual orientation shall be
At face value this list of data is off the table for all kinds of processing. But, like much of the GDPR, the devil is in the detail, and in particular, the exceptions.
Of course, hospitals must process health and often genetic data to do their jobs properly. Likewise, a trade union would want to keep track of who exactly is their member.
Biometric data is another example. As a workforce management company, this is particularly important to us, but it is much more far reaching – think about modern, chipped passports or smart phones with fingerprint readers or facial recognition.
So what about the exceptions?
The above paragraph will not apply if any of the following criteria are met:
- That the data subject has given explicit consent.
- Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment [law]
- Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
- Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body
- Processing relates to personal data which are manifestly made public by the data subject
- Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
- Processing is necessary for reasons of substantial public interest
So… Just ask for consent?
If there is no reasonable basis for processing sensitive data then consent must be sought – and it must be explicitly given. The Data Subject (individual) must be aware of why you wish to obtain the special category data and consent to its use.
But the other options of processing sensitive data exist for a reason. Consent should only be used if you cannot make a reasonable case for any of the other exceptions. We’ll get deeper into Consent in a later post in this series.
The GDPR is a big deal. While we’re attempting to create a readable and accessible introduction to the GDPR, our comments here should not be considered legal advice. The best individual place for GDPR information in the UK is the ICO Website. You may also wish to obtain your own legal advice, which, again, this is not.