The definition of personal data was updated with the introduction of the General Data Protection Regulation (GDPR) and the new Data Protection Act 2018 (DPA 2018).
Personal data can be defined as information, which can be used to directly or indirectly identify an individual. This includes a name, location or IP address.
Where the information is in connection with a deceased person, it is not deemed to be personal data. Similarly, information about companies or public authorities would not be classified as personal data.
Who does the GDPR apply to?
The GDPR applies to organsations of any size that process EU residents’ personal data in the course of economic activity. The only exception is the processing of personal data in the course of exclusively personal or household activity.
The regulations introduced new and consistent standards as to how personal data is used by data controllers and data processors.
A controller decides how the personal data will be used, and also how it will be processed. The processor bears the responsibility for processing the data in accordance with the controller’s stipulations. Both of these roles now bear the responsibility of adhering to the new regulations and therefore the possibility of being penalised for non-compliance.
We refer in this article to organisations as both data controllers and processors.
What is personal data: GDPR’s 7 key principles
The GDPR sets out seven key principles for controlling and processing personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Lawfulness, fairness and transparency
Our organisation must have valid reasons for collecting, retaining and using personal data, and ensure that no law is violated in doing so. Your use of the personal data must be deemed to be ‘fair’ so that it does not result in the identified individual being at a disadvantage, suffering loss or coming to any harm. You must be honest about how the personal data will be used from the point when that data is gathered and throughout the holding of that data.
You cannot change the way you use the personal data that you gather unless at least one of the following applies:
- the new use is compatible with the original intended use
- you receive fresh consent
- you are allowed to make this change lawfully
Data minimisation means that any personal data you collect must be sufficient for your purpose, relevant to the purpose. You are also not allowed to gather more information than what would be deemed necessary.
You must ensure that the personal data you hold is accurate, and depending on how you use the data, up to date.
Should you find any of the data to be incorrect, you must correct it or erase it.
Within this principle, is the requirement to offer any identified individuals the right to check and correct their personal data.
You must not continue to hold personal data that you no longer require, and you should make it clear how long any information will be held by the organisation.
Within this principle, you must consider and offer individuals the opportunity to review any information you hold on them and to request that it is erased.
Personal data retained for the purpose of public interest archives, historical or scientific research, or statistical use may be retained for longer.
Integrity and confidentiality
You must put in place appropriate and sufficient security measures to protect any personal data you hold.
This could be physical security, as in who has access to company computers, or online security such as the cloud storage you use.
This requires that you take responsibility for complying with the GDPR and make evident that compliance, putting in place compliance procedures and documentation.
What is personal data: Rights of the individual
Under GDPR, individuals have the following rights regarding their personal data:
- The right to be informed: this should include but not be limited to how their information is collected, how it will be used, how long it will be kept for, and who it will be shared with.
- The right of access: individuals may ask for a copy of all the information you hold on them at any time free of charge and you must fulfil their request within 1 month.
- The right to rectification: individuals have a right to request that you correct any information you hold on them, and you must do this within 1 month.
- The right to erasure: individuals may request that you erase any personal data you hold on them (the right to be forgotten) and you must respond within 1 month. This right is not absolute, and a business may query such a request.
- The right to restrict processing: when such a request occurs, a business may hold the personal data but not use it. Again, this right is not absolute and such a request may be queried.
- The right to data portability: where an individual requests a copy of the information held on them in a format that can easily be passed to another business or service.
- The right to object: individuals have ‘the right to object’ to and therefore halt the processing of their personal data, most commonly when that data is used for direct marketing purposes.
- Rights connected with automated decision making and profiling: personal data may only be processed completely by an automated system where the resulting decision meets one of the following conditions:
- necessary for entering into a contract or fulfilling a contract
- authorised by law which relates to the controller
- the identified individual has given explicit consent
What is personal data: Penalties for non-compliance
Should your business be found to be non-compliant with the GDPR, there are discretionary fines that may be imposed by the Information Commissioner’s Office (ICO). These are:
- Up to 10 million euros, or 2% of annual global turnover, whichever is higher
- Up to 20 million euros, or 4% of annual global turnover, whichever is higher
These are not mandatory fines and the ICO will take a number of factors into consideration:
- the seriousness of the non-compliance
- whether the non-compliance was intentional or negligent
- whether the related business attempted to rectify the non-compliance
- the size and nature of the business
- previous occurrences of non-compliance
- the type and level of sensitivity of the personal data involved
- how the non-compliance became apparent, for instance, through a customer complaint or through the business itself
Individuals who have suffered damages as a result of GDPR breach may be allowed to claim damages against the non-compliant business in certain circumstances.
How legal advice can help
GDPR compliance can be a challenge for organisations. If you have any questions relating to personal data and GDPR best practices, take specialist legal advice to help you navigate the regulations and ensure that your business is fully compliant.