Personal data under GDPR
You have probably not missed news on GDPR (General Data Protection Regulation), either by all the privacy policy updates everyone is sending around currently or by being affected yourself and having to understand what it means. It’s the new data privacy regulation in Europe. It’s actually in place since 2016, and will become active in May 25th, 2018. You can already expect to hear more and more about it during the next weeks, but also afterwards, because quite a few parts of GDPR are open for interpretation and there’s no best practices yet for some important parts of it.
Personal data means any information that can be used to identify a natural person.
But what is GDPR and when does it apply?
It’s all about personal data. If you have data that is not personal you’re not bound to GDPR. Let’s explore this a bit more. Personal data means any information that can be used to identify a natural person. Name, address or phone number are pretty obvious examples of personal data. But identification can also happen indirectly. You also need to consider data sources that are not available to you, but to others. A typical example are IP addresses. For most people they are just a irrelevant piece of information in a strange notation. But combined with information from your ISP (internet service provider) it’s easy to identify you. Other examples are location tracking data or any other kind of time-series data that can be used to identify you.
Why does this matter?
In most company scenarios, user and customer data are anyways directly identifiable, how else should you be able to order shoes and food online and get it delivered to your home? So why do I make this differentiation? There are two good reasons:
1. Any third party tool (and any regular company uses a lot of third party tools) that processes personal data needs to mentioned in the privacy policy. You also should have a data processing agreement with them. And if they’re not located in the EU, you need to check whether you can actually still work with them. So if you can prove that certain third party tools are not being used for personal data, you’re more flexible in how you can use it.
2. You may want to share anonymous data with researchers, e.g. if you have a lot of health related data, there’s a good chance that the data you have is very relevant for academic research. And academic research doesn’t need to identify anyone individually. It’s about analysing the data anonymously. And if you can prove that the data that you’re sharing is really anonymous, then you don’t need to get consent for it and implement a lot of the GDPR requirements.
Examples for categories of personal data
Ok, we now talked about what isn’t personal data. Now, let’s look into the opposite — typical examples for personal data:
- Marketing data
You’re probably signed up to a lot of company newsletters. And you’re seeing facebook ads for certain shoes after you googled for them. And how does the tracking work on their website? Especially e-commerce companies deal with that kind of data daily. And especially for retargeting, but also for tracking on websites there are not really best practices reg. GDPR yet.
- User / customer data
That’s the core of most companies, the user or customer database. There’s a huge variance as to what companies exactly store, but that’s probably what most people will think of first when thinking of personal data.
- Employee and job application data
Well, GDPR is not only about all the users and customers a company has, but also about all the employees and applicants. What tools does a company use to process appliations and employee data? How long does a company store your appliation?
Every company is different. Just keep the definition of personal data in mind and you’ll find more examples in your company or your personal environment.
This is the first article of a series on a practical approach on GDPR. Follow me to get notified for future articles! Please find here the second article on implications of Slack on GDPR.
This post is part of a series on my learnings with GDPR. Please have in mind that, though based on diligent work, it can contain mistakes and wrong understanding of the legislation. Please let me know if you find those parts.