In the world of compliance, businesses have to be on-point in their understanding of what's being asked of them to avoid costly liability. And to know what they're expected to do, they need to understand what the regulators mean when they use certain terms.
The European Union's General Data Protection Regulation (GDPR) contains a slew of such terms. Of the many concepts at play in the new regulation, the notion of "personal data" is one of the most fundamental.
In order to understand obligations pertaining to how businesses are supposed to handle personal data, it is critical for you to understand what personal data is in the eyes of the regulators.
The glossary of terms on the EU's GDPR webpage gives a slim definition of personal data, which is:
"… any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person."
If you're trying to achieve or maintain GDPR compliance, this definition probably feels a little too general. It leaves it to the reader to imagine what types of data might be considered "identifying." Especially as regards "indirect identification."
International law firm White & Case is one source that has helpfully jumped in with a comparison of GDPR's definition of personal data to its definition in the previous iteration of the EU's (much less far-reaching) data privacy law, to tease out some of the distinctions. The more in-depth description of the GDPR rule indicates that personal data can be any information relating to a person that can be "identified or identifiable;" information such as:
We can see from this list that while what we think of as "personal data" in a casual sense is pretty limited, the way that personal data is construed by the GDPR encompasses a lot more information – information that your business might have on hand and not even fully realize.
For instance, you probably have client names, addresses and the like in your database – but is some part of your IT operation collecting IP addresses or other data that could be used to tie an individual who you've done business with to a specific location?
And while concerns about having identifying information about genetics is probably more applicable to those working in medicine and related fields, factors like "social identity" could pull a whole range of potential in-house communications under the umbrella of "personal data."
So even after having gotten this clarification, you probably have some questions – if not more than you started out with. And as you no doubt have guessed …
If this seems like this technical definition of personal data could have profound, unforeseen impacts on your ability to reach compliance with your IT operations – it could. And it's only one of many very specific terms being defined by the GDPR to determine compliance. The penalties for non-compliance are hefty (if not potentially debilitating) at up to €20 million or 4 percent of global annual turnover.
But you don't need to worry – if you're active in taking the right steps. Perhaps the most important of those steps is learning as much as you can about how GDPR will impact you, and what exactly you're expected to do to comply.
And while internet research can give you a good start, there's really no better way to learn about such complex and intricate matters than directly from the experts.
SpringCM, in conjunction with A-LIGN, hosted a webinar that discussed this complex and nuanced regulation.
The on-demand webinar, titled GDPR Preparedness: How to Ensure You're Ready for May 2018, features a discussion of the granular ins-and-outs of GDPR preparedness vital to understand for any business that processes or handles the information of EU citizens.
Listen in as A-LIGN Director of Security Services, Petar Besalev, and SpringCM Chief Information Security Officer Chris King discuss what GDPR is; why it is important, how you can make sure you're compliant and why GDPR compliance isn't just important to avoid the stiff penalties – but for building relationships in today's global economy.
Editor's Note: This post was originally published in October 2017. It has been updated for accuracy and comprehensiveness.