The definition of personal data was updated with the introduction of the General Data Protection Regulation (GDPR) and the new Data Protection Act 2018 (DPA 2018).
Personal data can be defined as information, which can be used to directly or indirectly identify an individual. This includes a name, location or IP address. It also includes online identifiers and one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data that has been truly anonymised is not personal data; pseudonymised data remains personal data if re-identification is reasonably possible.
Where the information is in connection with a deceased person, it is not deemed to be personal data. Similarly, information about companies or public authorities would not be classified as personal data, although information about individuals within those organisations (for example, sole traders, partners or employees) can be personal data.
Who does the GDPR apply to?
The GDPR applies to organsations of any size that process EU residents’ personal data in the course of economic activity. The only exception is the processing of personal data in the course of exclusively personal or household activity. In the UK, the **UK GDPR** (as retained and amended in domestic law) and the DPA 2018 apply to processing carried out by UK organisations. UK organisations may also be directly subject to the EU GDPR if they offer goods or services to, or monitor the behaviour of, individuals in the EEA.
The regulations introduced new and consistent standards as to how personal data is used by data controllers and data processors.
A controller decides how the personal data will be used, and also how it will be processed. The processor bears the responsibility for processing the data in accordance with the controller’s stipulations. Both of these roles now bear the responsibility of adhering to the new regulations and therefore the possibility of being penalised for non-compliance.
We refer in this article to organisations as both data controllers and processors.
What is personal data: GDPR’s 7 key principles
The GDPR sets out seven key principles for controlling and processing personal data:
a. Lawfulness, fairness and transparency
b. Purpose limitation
c. Data minimisation
d. Accuracy
e. Storage limitation
f. Integrity and confidentiality (security)
g. Accountability
Lawfulness, fairness and transparency
Our organisation must have valid reasons (a lawful basis) for collecting, retaining and using personal data, and ensure that no law is violated in doing so. Lawful bases include consent, contract, legal obligation, vital interests, public task and legitimate interests. Your use of the personal data must be deemed to be ‘fair’ so that it does not result in the identified individual being at a disadvantage, suffering loss or coming to any harm. You must be honest about how the personal data will be used from the point when that data is gathered and throughout the holding of that data (clear privacy information).
Purpose limitation
Before you gather any personal data, you must know exactly how you will use the information. You are required to document these reasons under GDPR and make them available as part of your privacy policy. You **do not always need consent** to process personal data; you should identify the appropriate lawful basis. Consent is one option where it is appropriate and validly obtained.
You cannot change the way you use the personal data that you gather unless at least one of the following applies:
- the new use is compatible with the original intended use
- you receive fresh consent
- you are allowed to make this change lawfully (for example, a legal obligation)
Data minimisation
Data minimisation means that any personal data you collect must be sufficient for your purpose and relevant to that purpose. You are also not allowed to gather more information than what would be deemed necessary.
Accuracy
You must ensure that the personal data you hold is accurate, and depending on how you use the data, up to date.
Should you find any of the data to be incorrect, you must correct it or erase it.
Within this principle, is the requirement to offer any identified individuals the right to check and correct their personal data.
Storage limitation
You must not continue to hold personal data that you no longer require, and you should make it clear how long any information will be held by the organisation.
Within this principle, you must consider and offer individuals the opportunity to review any information you hold on them and to request that it is erased where the right applies.
Personal data retained for the purpose of public interest archives, historical or scientific research, or statistical use may be retained for longer.
Integrity and confidentiality
You must put in place appropriate and sufficient security measures to protect any personal data you hold.
This could be physical security, as in who has access to company computers, or online security such as the cloud storage you use. Security should be appropriate to the risk, including measures such as encryption, access controls, testing and staff training.
Accountability
This requires that you take responsibility for complying with the GDPR and make evident that compliance, putting in place compliance procedures and documentation (for example, policies, records of processing activities, DPIAs where required, and staff training).
What is personal data: Rights of the individual
Under GDPR, individuals have the following rights regarding their personal data:
a. The right to be informed: this should include but not be limited to how their information is collected, how it will be used, how long it will be kept for, and who it will be shared with.
b. The right of access: individuals may ask for a copy of all the information you hold on them at any time free of charge and you must fulfil their request within 1 month. You may extend by up to two further months where requests are complex or numerous, and you may refuse or charge a reasonable fee where a request is manifestly unfounded or excessive.
c. The right to rectification: individuals have a right to request that you correct any information you hold on them, and you must do this within 1 month (extendable by two months for complexity).
d. The right to erasure: individuals may request that you erase any personal data you hold on them (the right to be forgotten) and you must respond within 1 month. This right is not absolute and applies in specified circumstances (for example, where data is no longer needed, consent is withdrawn and there is no other lawful basis, or processing is unlawful).
e. The right to restrict processing: when such a request occurs, a business may hold the personal data but not use it. Again, this right is not absolute and such a request may be queried.
f. The right to data portability: where an individual requests a copy of the information held on them in a format that can easily be passed to another business or service. This right applies to data the individual provided, processed by automated means, where the lawful basis is consent or contract.
g. The right to object: individuals have ‘the right to object’ to and therefore halt the processing of their personal data, most commonly when that data is used for direct marketing (an absolute right). They may also object to processing based on legitimate interests or public task; you must then stop unless you can demonstrate compelling legitimate grounds.
Rights connected with automated decision making and profiling: personal data may only be processed completely by an automated system where the resulting decision meets one of the following conditions **and** appropriate safeguards are in place (including the right to obtain human intervention, express a view, and contest the decision):
a. necessary for entering into a contract or fulfilling a contract
b. authorised by law which relates to the controller
c. the identified individual has given explicit consent
What is personal data: Penalties for non-compliance
Should your business be found to be non-compliant with the GDPR, there are discretionary fines that may be imposed by the Information Commissioner’s Office (ICO). These are (under UK GDPR/DPA 2018):
a. Up to £8.7 million, or 2% of annual global turnover, whichever is higher
b. Up to £17.5 million, or 4% of annual global turnover, whichever is higher
These are not mandatory fines and the ICO will take a number of factors into consideration:
a. the seriousness of the non-compliance
b. whether the non-compliance was intentional or negligent
c. whether the related business attempted to rectify the non-compliance
d. the size and nature of the business
e. previous occurrences of non-compliance
f. the type and level of sensitivity of the personal data involved (including any special category data or criminal offence data)
g. how the non-compliance became apparent, for instance, through a customer complaint or through the business itself
h. Individuals who have suffered damages as a result of GDPR breach may be allowed to claim damages against the non-compliant business in certain circumstances.
How legal advice can help
GDPR compliance can be a challenge for organisations. If you have any questions relating to personal data and GDPR best practices, take specialist legal advice to help you navigate the regulations and ensure that your business is fully compliant.
Author
Gill Laing is a qualified Legal Researcher & Analyst with niche specialisms in Law, Tax, Human Resources, Immigration & Employment Law.
Gill is a Multiple Business Owner and the Managing Director of Prof Services - a Marketing Agency for the Professional Services Sector.
