The General Data Protection Regulation (GDPR) clarifies the legal definition of ‘personal data’ and in doing so creates challenges for businesses. Below, we explore what’s changed and why.
Personal data today
The UK Data Protection Act 1998 (DPA) defines personal data as “any information relating to an identified or identifiable natural person”. Simply put, this means any information that can be associated with a specific human being.
In an effort to qualify this definition, the legislation also defines an ‘identifiable person’ as “one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” The phraseology used here may be confusing but the subtext of this statement is clear - these factors and numbers should be considered personal data.
Yet despite this qualification, the DPA definition of personal data remains open to interpretation and this has created problems for data controllers. What’s more, as the legislation was published almost 20 years ago, its relevance has slowly diminished. Crucially, it never envisaged the quantity and variety of data created online. With GDPR, regulators have attempted to clear up any ambiguity with an expanded definition of the term that’s applicable in the 21st century. The jury is still out on whether they have succeeded.
The GDPR effect
GDPR largely reflects the DPA definition but also embraces location details, genetic information and online identifiers. All of this data is subject to new and stringent requirements and any business with customers based in the EU must now revisit how they use, store and process this information to ensure they are compliant. Failure to comply will result in severe fines - €20m, or 4% of worldwide turnover – whichever is higher.
This extended definition is likely to have the greatest impact on consumer facing brands and adtech companies. These organisations process and store large volumes of data and will now have to secure positive consent from data subjects before using this information. Failing to do so is likely to catch the attention of privacy groups, litigators and regulators, not to mention the data subjects themselves.
The key takeaway:
Under GDPR, almost all information related to an individual qualifies as personal data, even remote and indirect data. The Regulation applies to all businesses with EU customers and their supply chain partners. These organisations must ensure they’re using, storing and protecting personal data in accordance with specific requirements if they’re to avoid severe fines.
The trust-hub platform gives users visibility and control over personal data, enabling them to harness its potential and demonstrate compliance. Download our datasheet here to learn more about this solution.