cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer I

GDPR - What is considered personal data?

Hi community,

 

I have a very practical question: Since the regulation defines personal data as “Any information relating to an identified or identifiable natural person…”, does it mean first + last name is considered personal data? Historically we identified PII as a combination of several elements like name + address or name + social. If first + last is indeed considered personal information under GDPR the impact is much more significant so we want to make sure we're addressing it appropriately.

 

I haven't been able to get a straight answer yet so I figured someone here might be able to help.

 

Thanks!

 

33 Replies
Community Champion

Re: GDPR - What is considered personal data?

First of all it must belong to a living entity, not a deceased one.  

 

"Any information relating to an identified or identifiable living natural person (data subject)."

 

A data subject is defined as the individual whose data is being collected and can be identified from the data.

 

Does this answer your question?

 

 

 

Community Champion

Re: GDPR - What is considered personal data?

So out of the data available, that you hold - can you identify the person, from the information you hold i.e. can you identify their activity by location (GPS), by IP address and/or MAC address; bio metric data, DNA or by association with their abode i.e. address, bank numbers, social number etc etc.

 

All of these, could identify that living person.

 

 

Viewer II

Re: GDPR - What is considered personal data?

Suggest you have a look the EU's independent data protection authority's website for a definition: https://edps.europa.eu/node/3110#personal_data 

They give examples too: 

"The name and the social security number are two examples of personal data which relate directly to a person. But the definition also extends further and also encompasses for instance e-mail addresses and the office phone number of an employee. Other examples of personal data can be found in information on physical disabilities, in medical records and in an employee's evaluation."

Recently attended a session hosted by the deputy EU data protection supervisor where they even stated IP addressed may be considered personal data. Might make sense to keep an eye on their website as they promised to come up with guidance documents.

Community Champion

Re: GDPR - What is considered personal data?

Good point:  I am seeing so many different interpretations of the facts - we should always go back to the original source for the true facts.

Community Champion

Re: GDPR - What is considered personal data?

Well given that there was a European Court case, which was upheld on the very fact that IP addresses and/or Mac Addresses could identify the activity of the individual involved - then this is also the stance taken by my organisation as well.   However, only the lawyers, who are obviously waiting for the 25th May 2018 to delivery their lawsuits and challenges will this be tested fully.

Viewer II

Re: GDPR - What is considered personal data?

And it goes further than "just" IP addresses. Imagine you have an outsourcing center (helpdesk, customer support, etc) somewhere in Asia (India, Phils, you name it). Seemed to be sort of an issue if data is shared (and if it was via screen only) with those folks.
Community Champion

Re: GDPR - What is considered personal data?

Yes, the Data Processor - A person or body acting on behalf of the data controllers to store or process the data.

 

I know, every contract has to be reviewed, from a risk management perspective, and agreed with the clients and appropriate Technical & Organisational Measures (TOMs) have to be agreed and put in place.

 

 

Community Champion

Re: GDPR - What is considered personal data?

https://www.irishtimes.com/business/technology/european-court-of-justice-rules-ip-addresses-are-pers...


@Caute_cautim wrote:

Well given that there was a European Court case, which was upheld on the very fact that IP addresses and/or Mac Addresses could identify the activity of the individual involved - then this is also the stance taken by my organisation as well.   However, only the lawyers, who are obviously waiting for the 25th May 2018 to delivery their lawsuits and challenges will this be tested fully.


 

Newcomer I

Re: GDPR - What is considered personal data?

There is a really good paper on this on the ICO (Information Commissioners Office) web site in the UK with lots of examples https://ico.org.uk/media/for-organisations/documents/1554/determining-what-is-personal-data.pdf .  It builds up the scenarios really well - ultimately you have to make a sensible decision.  For me it boils down to some simple questions:

 

- Is it an organised electronic or paper store

- can identify a living person (or use identifiers to get to that living individual e.g. IP address)

- the attributes and information that relate to that living person are personal information.