GDPR, which comes into force on May 25th 2018, is to regulate the handling of ‘personal data’. There’s a lot of noise about it, but a lot of confusion as well. How the regulation should be interpreted is not always clear so it’s good to get the definition from the horses mouth. The actual definition of ‘personal data’ is, as defined in Article 4 of the regulation:
‘personal data‘ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
European Data Protection Law – General Data Protection Regulation 2016 – Andreas Linder (Ed.)
The Information Commissioner’s Office has the following:
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
So it would seem that, according to the ICO, a combination of personal identifiers can constitute personal data even if no other associated information ‘relating to’ the individual is involved. Any information that can be used to uniquely identify an individual is considered personal data. Given the amount of information now publicly available via social media and other online content, that definition is pretty broad. Could the information you hold, in combination with other available content, uniquely identify an individual? If so it needs to be given ‘appropriate technical and organisational measures’ to secure it. (GDPR Article 32).