What is Personal Information?
Background GDPR (the https://eugdpr.org/) is a European wide law protecting people's privacy Although it came into UK law on the 25th May, 2018 (by being incorporated into our Data Protection Act), it didn't just appear out of nowhere. It can trace its roots back to 1948 and the Universal Declaration of Human Rights which resulted from WWII atrocities, and was further embellished in 1950 with the European Convention on Human Rights which recognised amongst other things, a person's right to privacy in "private and family life, his home and his correspondence". It's worth bearing in mind that it has been called "the most important change in data privacy regulation in 20 years" and is the Gold standard by which other privacy regulations are measured.
What is Personal Data according to GDPR?
Personal Data (often known by the abbreviation PII or Personally Identifiable Information) is defined in GDPR as "any information relating to an identified or identifiable natural person". So basically this is any information which can be used to identify a living person. This could be a name, email address or telephone number. It can also be things you might not think of, for example, IP address, your phone's IMEI and MAC address, car registration number, driver's license number, you get the picture. In fact, photos of people where you can recognise them are personal data, as is their voice. Police in Shanghai and Beijing have even deployed technology that can even recognise people by the way they walk!
If you do anything with this data, it is is called 'Processing', even if it's just filing it in a filing cabinet, and GDPR applies (unless it's for purely personal use). However, you have to have what's called a 'legal basis' for collecting this information. All that means is that you must have a good reason for collecting it. This could be to take an order and ship a product, or to provide a particular service. Once you know that you are processing personal data, you should be aware of your other obligations under GDPR.
What is Special Category Information?
Some sensitive PII is termed 'Special Category' information (i.e. where the risk of harm if it was leaked is great). GDPR defines this as:
Racial or ethnic origin
Religious or philosophical beliefs
Trade union membership
Genetic or biometric data for the purpose of uniquely identifying a natural person
Data concerning health
Data concerning a natural person’s sex life or sexual orientation
The processing of this information is prohibited unless specific permission ('Consent') has been obtained for that particular purpose. If you do collect and process this information (e.g. people's dietary requirements or allergies) be sure to obtain and document this consent and make sure that you take extra steps to keep it safe (for example, by using encryption or locking your files and office).
We should also mention Children's data. Whilst not exactly a Special Category, it is specifically called out in GDPR. If you collect data from anyone under 13 in the UK, and rely on consent as your legal basis for doing so, then you must obtain consent from their parent or guardian. Other protections are required, especially if you intend to market to kids, so we recommend studying the ICO's guidance.
Need More Help?
If you feel that you need help, Data Compliance Specialists offer a range of services from straight-forward advice through to completing all the necessary documentation and policies you need.