A piece of data may be classed as personal data in the hands of one organisation but may not be classed as personal data in the hands of another.
It all depends on what purpose the organisation is processing the data for.
Therefore, it is important that the purpose for which the controller is using the data is considered thoroughly in order to decide whether it relates to an individual.
Personal data is essentially any information that could identify a European citizen. It includes basic ID information such as names, addresses, telephone numbers, driving licence numbers, credit card details, and Web identifiers. It also includes sensitive personal data such as genetic and biometric information.
GDPR took four years to debate and finally draw up and consists of 99 articles and 173 explanatory comments, making it one of the most complex pieces of legislation ever produced by the EU. Its stated purpose is to “protect all EU citizens from privacy and data breaches in an increasingly data-driven world”.
Since the GDPR took effect in May 2018, the Information Commissioner’s Office (ICO) has received a monthly average of 1,276 data breach notifications – 43 notifications per day.
Data controller/data processor
What exactly is a data controller and what is a data processor?
The data controller is the person or body who determines the purposes and means of processing personal data – they decide what the data is for – and what’s going to happen to it.
A data processor refers to a person or body who is separate from the data controller (i.e. not an employee) and who processes personal data on behalf of that data controller. In essence, the controller gives the processor a specific job to do – and the processor does it.
The GDPR covers the processing of personal data in two ways:
- personal data processed wholly or partly by automated means (that is, information in electronic form); and
- personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (that is, manual information in a filing system).
The ICO gives the following example on its website of how personal data can be classed and dealt with differently, depending on what they are using it for.
“A journalist takes a photograph of the beach on a sunny day to publish in a local newspaper alongside a story about record-breaking temperatures. The photograph includes some individuals who are relaxing on the beach and is of sufficient quality that some of the individuals may be identifiable.
The journalist is not processing the photograph to learn anything about any of the individuals whose images were captured, nor is it likely that the journalist would ever process the photograph for that purpose. Whilst processed by the photographer, the photograph would not be personal data as it is not used to record, learn or decide something about the individuals.
One of the individuals photographed on the beach had told their employer they needed to attend a funeral and had taken compassionate leave from work on that day.
Their colleague sees the photograph published in the newspaper, scans a copy and e-mails it to the manager of the individual photographed. The photograph is added to the individual’s personnel file in order to start disciplinary proceedings for taking compassionate leave under false pretences.
When being processed by the individual’s employer, the photograph is being used to record, learn or decide something about the individual. For this reason, it would be personal data when processed by the employer.”
Therefore, although the photo may not come under GDPR or count as personal data, depending on the purpose of processing, it could clearly be considered an invasion of privacy. Even if GDPR doesn’t apply, privacy should still be considered.
Organisations handle personal data in different ways.
It’s important to understand this difference as it will shape your responsibilities under EU data protection law.
Before the implementation of GDPR, data processors could avoid direct liability under the law. But the regulation now puts new obligations on data processors.
Whether or not the information you hold could identify someone depends on context.
Under GDPR, processors now face direct regulatory intervention – including reprimands and possible fines, in the event of a compliance breach.
Organisations are obliged to report certain personal data breaches to Data Protection Authorities (DPAs) and affected individuals. A personal data breach is defined under the Regulation as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.