How is Personal Data Defined Under the New GDPR Provisions?
The General Data Protection Regulation (GDPR) is already here and hopefully, you’ve managed to implement all of the required changes. To ensure consistent compliance, however, you need to have a thorough understanding of the term personal data and its specific definition under GDPR.
The general definition of personal data is easy to understand – this is data pertaining to a certain person (financial, medical, personal, etc.) that should be protected. Does GDPR change the definition of the term, however?
The Definition of Personal Data
More information about the definition of personal data is available in GDPR Article 4.
The document states that personal data is any information that relates to an identifiable individual. An identifiable individual is someone who can be identified by their name, ID number, an online identifier (like IP address, for example) or any other source of information that can be utilized for either direct or indirect identification.
As you can see, the GDPR definition is quite vague and it could relate to just about anything. The scope of information expands in an attempt to give people more control over the privacy of their data.
New Categories of Sensitive Data
Personal data has an important sub-category under GDPR and this sub-category is sensitive data. Sensitive data is more specific and it should be handled more carefully by website administrators and web service providers.
A few common types of sensitive data under GDPR include:
- Information about a person’s race or their ethnicity
- Political opinion
- Health details
- Sexual orientation
- Religious affiliation
In order to process sensitive data, online service and content providers have to get explicit consent under the GDPR.
There are two more types of data that fall under the same category and necessitate similar processing – biometric and genetic data. Genetic data is specifically used for medical research purposes. Biometric data includes fingerprints, retinal scans, etc.
Processing Terms and Conditions for Personal Data Handling
Now that you have a better idea of what personal data is, it’s time to understand how such information should be processed and handled under GDPR.
The conditions for personal data processing under GDPR are somewhat similar to those under the Data Protection Act of 1998. Processing is going to be lawful whenever:
- Consent is obtained from the individual that the data pertains to
- The processing of such data is absolutely necessary for the performance of a contract, for legal compliance, the performance of a task or to meet a legal obligation
- Explicit consent is obtained for sensitive personal data
To meet these requirements, website owners have to review existing data collection policies, as well as the terms and conditions presented on the website itself. If a consent mechanism is already in place, it should be reviewed to make sure it meets the much more stringent GDPR requirements (especially for sensitive data).
Whenever personal and biometric data is being processed, both GDPR and local national regulations will have to be taken into consideration. Individual EU member countries could impose additional restrictions that will come on top of the standard GDPR provisions.
Ensuring GDPR compliance has been a lengthy process for many businesses and for some, the process has not been finalized yet. If you’re one of these businesses and you’re still struggling, you should seek legal assistance right now. Having an experienced professional reviewing your personal data collection and processing policies will make it easier to identify gaps, shortcomings and potential GDPR violations.