Data is the new oil in our modern world. But the scope of personal data may include more than you realise.
Are you clear about how you can store the data?
If not, you need to act now.
What is personal data?
There’s no definitive list of what is or isn’t personal data. It comes down to interpreting the GDPR’s definition:
“[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’).”
A data subject is an identified or identifiable person. So personal data is a very wide definition that means any information that relates to a particular and living person. The GDPR provides specific examples of what constitutes personal data:
- Identification number (e.g. National Insurance, payroll or passport number)
- Location data (e.g. home address or mobile phone GPS data)
- Online identifiers (e.g. an IP or email address)
- Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person
Sensitive personal data is covered in GDPR as ‘special categories’ of personal data which include:
- Biometric data for the purpose of uniquely identifying a natural person, including facial images and fingerprints
- Data concerning health which reveals information about a person’s health status (including both physical and mental health and the provision of healthcare services)
- Genetic data relating to the inherited or acquired genetic characteristics which give unique information about a person’s physiology
- Political opinions
- Racial or ethnic origin
- Religious or philosophical beliefs
- Sexual orientation
- Trade union membership
Are names always considered personal data?
Interestingly, no. You may think your name is a defining characteristic but it depends what the data is combined with. As the Information Commissioner’s Office explains:
“By itself the name John Smith may not always be personal data because there are many individuals with that name… However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”
Equally, the information you have could be personal data even if you don’t know the person’s name. Just because you do not know the name of an individual does not mean you cannot identify them. Think of a police identity parade!
What does ‘processing data’ mean?
Processing is anything that is done to, or with, personal data. This includes but is not limited to collecting, recording, organising, structuring, storing, adapting, altering, erasing or destroying.
A processor processes the data on behalf of a controller.
A controller’s role is to determine the purpose and mean of the processing of personal data.
What responsibilities do you have?
Anyone who processes personal information is legally responsible for making sure that the information is:
- Adequate, relevant and not excessive
- Processed fairly and lawfully
- Obtained only for one or more specified and lawful purposes, and not further processed in any manner incompatible with that purpose or those purposes
- Accurate and-up to-date
- Processed in accordance with the rights of data subjects under the GDPR and Data Protection Act 2018
- Kept for no longer than is necessary
- Secure (for example using appropriate measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data).
Why should you collect customer data?
Customer data is a huge business. Businesses can use it for a range of purposes to understand their day-to-day operations, to make informed strategic decisions and learn about their client base. Equally companies have built entire business models around consumer data, selling personal information to third parties or through targeted ads.
How can you use personal data?
Customer data is usually collected in three ways:
- By directly asking customers
- By indirectly tracking customers
- By adding other sources of customer data to your own.
Businesses of any size use data for different reasons, such as:
- Services and tasks: Marketing springs to mind, but plumbers couldn’t do their job if they don’t know where you live. Often you need customers’ personal information to perform your business objectives.
- Profiling: Consumers often benefit from companies using their personal data. Streaming services use personal data to recommend films and TV programmes that users might enjoy. Shopping history is used to suggest similar products that a consumer might be interested in. Companies can directly target consumers through emails, texts or messages as well as ads.
Individuals have the right to object to profiling. Companies must inform individuals of their right to object at the point of first communication, as well as in a privacy notice.
What happens if someone asks to see or delete their personal data?
Individuals can make a ‘subject of access request’, acting on their free right to access their personal data held by a company. Individuals can also request to have their personal data erased and to prevent processing in specific circumstances. These circumstances include, but are not limited to:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- Where the personal data was unlawfully processed
- Where the individual withdraws consent
- Where the basis for processing is that it is in the organisation’s legitimate interests to do so, but the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
If you receive an objection to processing personal data for marketing purposes, you must ensure that the individual’s personal data is no longer processed for such purposes.
What about Brexit?
The UK has left the EU, meaning that from 1 January 2021 the GDPR no longer applies directly to the UK.
The GDPR has been retained in UK law and will continue to be read alongside the Data Protection Act 2018, with technical amendments to ensure it can function in UK law. This new regime is known as ‘the UK GDPR’.
So in practice, UK organisations operating only in the UK must still comply with GDPR requirements. UK organisations that process personal information of individuals in the EU may need to:
- Appoint an EU representative;
- Identify a lead supervisory authority in the EU;
- Update policies, procedures and documentation in light of these changes.
How should you handle personal data?
Usually it’s best to side with caution. Make sure the processing of personal data is limited to what is necessary and you only keep data for only as long as it meets its purpose.
Our top tips:
- Communication is key. You must be completely transparent about your data collection processes. Your custom-made privacy notice should be publicly available on your website. You should invest in data security training for your staff too.
- Only store what is necessary. Try to find the balance between what you need for audience targeting and strategy vs risk. The less data you have, the less data that can be compromised in the event of a security incident.
- Protect your customers’ data. Use advanced cybersecurity measures, reliable encryption software, two-factor authentication and a virtual private network service to encrypt internet traffic.
Key takeaway: Knowing what is considered personal data is the first step. Then you can manage how to process, store and use the data. Good habits early in your company lifecycle makes it much easier to manage in the long term.