What is personal data? I don’t process personal data, GDPR doesn’t apply to me!
Many people say to us “I don’t process personal data, GDPR doesn’t apply to me”. But with personal data covering everything from a name and a business or personal email address to an IP address, we are always compelled to ask “are you sure?”
So what is personal data under GDPR?
The definition of personal data under the General Data Protection Regulation (GDPR) is very broad. It includes anything that:
Allows someone to uniquely identify another person directly, and
Allows someone to uniquely identify another person using other information that’s available.
This definition doesn’t just relate to your customers or clients but to your employees, contractors, suppliers, donors or any other contacts that you deal with in the process of doing business.
List of personal data
The first part of the GDPR definition of personal data, in its most basic form, can include:
Photos or video footage of people (including CCTV)
A computer and phone IP addresses
An individual email address (business or personal)
An individual’s phone number
Using other information that’s available
But it’s the second part of the definition of personal data under GDPR that can make things more complicated. For example, you might have a list of employees that only uses their employee number - but this can still be deemed personal data if other people have access to a list of employee numbers.
Context specific personal data
And to make things even more complicated, sometimes exactly what qualifies as personal information can change depending on the context, for example, ‘the business development manager at company X’ might be personal information if Company X only has one business development manager. If there’s more than one, it doesn’t identify an individual, so would not on its own be considered personal data.
Personal data and levels of risk
Personal data must always be protected, but different measures are appropriate to different types of information.
Special category personal data
There are certain types of information that you might hold that are deemed ‘special category’. This includes information on health, beliefs, sexuality and biometric data. You might not process this type of information about customers but what about your employees? Do you hold health information about them as part of your health & safety legal obligations?
You won’t be surprised to know that you are required to provide extra safeguards to special category personal data that you process.
So do you process personal data?
Hopefully this blog has persuaded you that you do process personal data in the course of your business, in which case you need to take steps to become GDPR compliant. But don’t worry, help is at hand. Astrid helps small businesses improve their data protection and become GDPR compliant. Developed with SMEs in mind, our secure online platform shows you what you need to do, and gives you the tools and information you need - all broken down into practical, manageable steps. Find out more about our services.
And if you still think you don’t process personal data then please drop us a line - we are fascinated to find out how you do business without it!
If you process personal data, it is likely that you should pay a data protection fee to the ICO. Find out more about the ICO data protection fee including who the ICO is, why there is a fee and who is exempt from registering.
Protect your business - become and remain GDPR compliant with Astrid