cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Francois1208
Newcomer I

GDPR - What is considered personal data?

Hi community,

 

I have a very practical question: Since the regulation defines personal data as “Any information relating to an identified or identifiable natural person…”, does it mean first + last name is considered personal data? Historically we identified PII as a combination of several elements like name + address or name + social. If first + last is indeed considered personal information under GDPR the impact is much more significant so we want to make sure we're addressing it appropriately.

 

I haven't been able to get a straight answer yet so I figured someone here might be able to help.

 

Thanks!

 

33 Replies
Francois1208
Newcomer I

Thanks for the replies. So it sounds like having someone's first and last name could be considered personal data if I can identify who that person really is. For example there could be many John Smith at my company but I wouldn't consider that personal information if I don't have anything else to say who it is (e.g. phone #, employee ID, job title, etc.). Conversely if the name is unique then I should assume it is considered personal (assuming I'm just talking within the boundaries of my companies information systems).

Francois1208
Newcomer I

That's great - just what I was looking for. Now the next question is how does what the ICO says hold true in regards to European regulations? Can we assume they all have the same definitions and views?

Witheaaxw
Newcomer I

It depends.

 

If your only information is "John Smith" who lives in London there are probably many 1000's so not PI.  

 

If you say "John Smith" in my company where there are just 5 of them then probably PI, especially if you add with other information (age, job title, department etc).

Witheaaxw
Newcomer I

Yes, the GDPR was introduced to standardise the approach across the EEA - as the DPA directive went off in many different directions in each state (or region in the case of Germany).  It comes into force on 25 May 2018. That said, there will be a period of adaption.  There is scope for some limited divergence (but it is miniscule).  What is missing is people that can apply the rules in a sensible, practical, risk based manner.  

 

The GDPR quickly gets us into the IT Security realm and here the legislation is not a lot of help other than calling out for 'appropriate organisation and technical standards' - which is where the CISSP is incredibly helpful as a starter. 

 

The challenge is for someone to put a practical slant on all the specialists (Data Protection Officer, Security Officer, Lawyer, IT professionals, Business User, Compliance (in Financial Services), Risk (in Financial Services), internal/external audit etc.).  You get  the challenge.

 

Slight challenge because the UK is (probably) leaving the EU.  Nevertheless, the draft new DPA Bill seeks to implement the GDPR in full and deal with some of the gaps.

Early_Adopter
Community Champion

Firstly, IANAL, so this is not legal advice, secondly 'Personal Data' is not equal to 'PII', and it sounds like you have the correct definition, which is broad and needs to be interpreted by your legal counsel.

 

First name plus last name is most definitely personal data, and you must have a contract or other legal grounds or consent to process this data. Though as NIST SP 800-122 has the following in its definition of PII:

 

    'Name, such as full name, maiden name, mother‘s maiden name, or alias'

 

You might want to have them look at PII as well. You can certainly distinguish with a full name, and if not too common tracing is also quite easy.

 

Here's probably the best definition out there for a native English speaker:

 

What information does the GDPR apply to?

 

  • Personal data

    The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

    This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

    The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

    Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

  • Sensitive personal data

    The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).

    The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.

    Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-defini...

 

Hope this helps.

 

Early_Adopter
Community Champion

Just realized there's a huge flash to bang on my post - sorry for being behind the curve.

 

John Smith is a name, therefore is personal data and by the GDPR can't be processed without the contract, other legal means such as John Smith explicitly giving his consent.

 

On the question of the UK leaving the EU, if it doesn't get adequacy as a third country under the GDPR it's pretty much game over for large sections of the UK's information economy. End state I would say is UK is bound to uphold the GDPR but has no say in subsequent revisions. 

 

 

 

 

Bhuwnesh
Viewer II

The personal data is something which help define/identify your identity and personal belonging. It may be anything like your health data , bank data, Name and age etc.   

arifhussain
Viewer II

Hi,

 

With only First name + Last name , the person can't be said as uniquely identified. As there might be many people with same name and surname. It has to be combined with some other information like address, ID number etc.

 

The real question is " If any european citizen travelling to another country and visited an hospital. Does the hospital be liable to protect european citizen health related data" Smiley Happy?

 

Lot many questions and scenarios require clarity, but GDPR is really good initiative.

 

Regards,

Arif

Bhuwnesh
Viewer II

I got it first time 🙂 its your identity status  🙂 like I said . your name itself is not your identity. Its always a combination of many things . A name can belong to many people but the identifiable make it unique . Like your name + sir name +gender + status etc .

 

The GDPR is a European standards  not to rest of the world. If you travel to other country and share your data then they have to protect your data   as per local regulations/standards until unless you/others make a agreement for European  GDPR.  

Caute_cautim
Community Champion

Just some small points, yes, it is a European Law, but it is not just about identifying individuals, it also affects all companies who are conducting business and services with European entities.  Example:  A New Zealand Bank who has outlets in Europe, would employ European citizens for instance, so they would have to deal with this legislation as well.

 

The implications are far wider, then you think, it is not just European bound.

 

It will affect organisations such as Google, Facebook and many others offering services around the world.