What is “Personal Data”?

DATA PROTECTION
Written By Danielle OReilly

Introduction

No doubt you’ve heard this term, but what does it really mean?

In the eyes of the law, the term “personal data” is significantly broader than what you or I would typically assume. While data fields like name, date of birth and email address would be correctly assumed to be “personal data” it’s actually information that can on it’s own or in combination with others be used to identify a living person, even unique ID’s! Not only is it broad, but businesses can easily slip up and process personal data without even realising.

Let’s take a look at the 2 types:

Type 1: Personal Data

This is information that goes as far as identifying a person.

For example, if you know someones name, or perhaps, you know a persons job role and where they work, you could put that information together to identify a specific person.

Because it is unlawful to process personal data, if you want to do something with it (like collecting it, or storing it) then you need to find something in the law that allows you to do so. For this category of personal data, we call this trying to find an Article 6 lawful basis of processing. Once you find one that is relevant, like consent from the person, then you can move forward.

But what if you need to process more than this category?

Type 2: Special Categories of Personal Data (Sensitive Data)

This is information that goes beyond identifying a person.

We’re getting really personal now. This category covers things that are considered sensitive to the person such as their health information, sexuality, political affiliation and more.

In order to process this type of personal data, you need to have 2 lawful basis for doing so. The first one is for Type 1 outlined above, and the second type is what we would call an Article 9 lawful basis which is needed in addition to the Type 1.

Are you handling “Personal Data”? Let’s check out some examples:

Filming and Personal Data

A common one is to assume that if you can’t see someones face it means a video or image isn’t personal data.

Remember, you don’t need one data field in isolation.

The fact that the person might not be identifiable in the video isn’t enough, the video is attached to a persons file so the name in the file tells us who the video is of.

That means both the file and video count as personal data.

Marketing and Personal Data

Every business will want to market their products, services and special promotions and an email list is THE way to have direct contact with your target audience.

At a very minimum you will be collecting name and email address, but also things like date of birth, gender identity and location.

All these things can be used to identify a person so they count as personal data!

So what’s next?

Now that you know that you are working with personal data (and that means that it is regulated by law), you need to know whether what you are doing with it counts as processing.

But…what is “Processing”? I hear you ask. Click to find out more.

 

Want more resources?

Danielle OReilly
Previous

What is “Processing” Personal Data?
Next

5 tips to start ANY business