The pros and cons of relying on legitimate interest in GDPRApril 7, 2018
What can I do with one month till GDPR comes into force?April 30, 2018
What is personal data? I don’t process personal data, GDPR doesn’t apply to me!
Many people say to us “I don’t process personal data, GDPR doesn’t apply to me”. But with personal data covering everything from a name and a business or personal email address to an IP address, we are always compelled to ask “are you sure?”
So what is personal data under GDPR?The definition of personal data under the General Data Protection Regulation (GDPR) is very broad. It includes anything that:
- Allows someone to uniquely identify another person directly, and
- Allows someone to uniquely identify another person using other information that’s available.
List of personal dataThe first part of the GDPR definition of personal data, in its most basic form, can include:
- A name
- Photos or video footage of people (including CCTV)
- A computer and phone IP addresses
- An individual email address (business or personal)
- An individual’s phone number
Using other information that’s availableBut it’s the second part of the definition of personal data under GDPR that can make things more complicated. For example, you might have a list of employees that only uses their employee number - but this can still be deemed personal data if other people have access to a list of employee numbers.
Context specific personal dataAnd to make things even more complicated, sometimes exactly what qualifies as personal information can change depending on the context, for example, ‘the business development manager at company X’ might be personal information if Company X only has one business development manager. If there’s more than one, it doesn’t identify an individual, so would not on its own be considered personal data.
Personal data and levels of riskPersonal data must always be protected, but different measures are appropriate to different types of information.
Special category personal data There are certain types of information that you might hold that are deemed ‘special category’. This includes information on health, beliefs, sexuality and biometric data. You might not process this type of information about customers but what about your employees? Do you hold health information about them as part of your health & safety legal obligations?
You won’t be surprised to know that you are required to provide extra safeguards to special category personal data that you process.
So do you process personal data?Hopefully this blog has persuaded you that you do process personal data in the course of your business, in which case you need to take steps to become GDPR compliant. But don’t worry, help is at hand. Astrid helps small businesses improve their data protection and become GDPR compliant. Developed with SMEs in mind, our secure online platform shows you what you need to do, and gives you the tools and information you need - all broken down into practical, manageable steps. Find out more about our services.
And if you still think you don’t process personal data then please drop us a line - we are fascinated to find out how you do business without it!
If you process personal data, it is likely that you should pay a data protection fee to the ICO. Find out more about the ICO data protection fee including who the ICO is, why there is a fee and who is exempt from registering.