GDPR: New definition of personal data and why it matters

In the centre of the GDPR is a new definition of personal data. Companies that fail to understand the new definition will have a hard time reaching compliance with the upcoming data regulation. In this blog post, we place the new definition of personal data under the microscope and examine what it means to you.

The GDPR’s definition of personal data is considered to be ‘new’ because it varies slightly from the definition that was established under the Data Protection Act from 1998.

The new definition is vital because it pretty much creates the entire premise for how companies should react to data protection laws.

New definition of personal data
Considering that 1998 was almost prehistoric compared to today’s technological and digital standards, it might surprise you that the definition is relatively unchanged. It is changed, however, with the key difference being that the GDPR uses a definition that is much simpler than its ancestor from 98. Simpler and much more exhaustive in its scope. Anyway, let’s try to get up close with the two definitions.

Under the Data Protection Act from 1998 personal data relates to an individual who is identifiable “from those data” or “from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”. Under the Data Protection Act, personal data wasn’t just names, personal identification numbers or addresses. Any piece to the puzzle, so to speak, was considered personal.

A simple definition
That principle remains live and well under the GDPR. Here the definition is quite simply that ‘any information relating to an identified or identifiable natural person’ is personal data. Pretty simple, right? If you have data concerning a person it is a personal data. Very little to get wrong there.

With a simpler definition more data is considered personal. Including a vast range of so called ‘online identifiers’ that weren’t nearly as prominent in 1998. Online identifiers include IP addresses and location data. Types of information that many MSPs have lying around in bundles.

Strict requirements for sensitive personal data
In addition to personal data, the GDPR classifies certain types of information as ‘Sensitive Personal Data’. The requirements for processing sensitive personal data is stricter than personal data, a concept that is also derived from the Data Protection Act. But once again the wording is slightly different in the DGPR.

Sensitive personal data is defined as data consisting of – deep breath- racial or ethnic origin, political orientation, religious or philosophical beliefs, trade union membership, biometric data, genetic data, health status and data concerning a person’s sex life and sexual orientation. Got all of it?

If you possess any of these data, you should definitely treat it with greater sensitivity.

Three highlights:
– The GDPR’s definition of personal data is different than from the 1998 Data Protection Act.
– The new definition is simpler and covers a broad range of data types. Including ‘online identifiers’.
– The GDPR includes data that is classified as ‘sensitive personal data’. The requirements for processing ‘sensitive personal data’ is stricter than personal data.