Personal Data is the new gold. It fuels the new internet economy and it impacts on almost every organisation that interacts with customers. So the question is, what constitutes personal data?
Personal data is information that relates to an identified or identifiable individual. This could be as simple as a name or a number, or could include other information such as an IP address or a cookie identifier, or other various other types of data.
We all have our own personal data, such as our photos, SMS messages, emails, and other content. Some of this data is maintained on our own computing devices, whereas other content is maintained by other organisations on our behalf. For this type of personal data, the data we create, it is clear that it is our data, even if it is stored by some organisation on our behalf. Where it gets more tricky is when an individual’s representation is captured in the data of another. Consider an example of a CCTV camera in a store. The CCTV camera captures you as you go into the store and again as you leave with a shopping bag of items you have just purchased. At what point does this data, the CCTV data gathered by the store, include your identifiable information? If it includes your personally identifiable information, then it is your personal data. This is the challenge facing organisations and is why we developed the Face404 service from SeekLayer.
If it is possible to identify an individual directly from a piece of data, then that information could be considered to be personal data. However, this gets complex. Even if the person is not identifiable from a piece of video, you should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it actually ‘relates to’ the individual. For example, you may have information suggesting that an individual loves craft beer, but unless this information can be related back to an individual, then it is not actually personal information.
When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.
It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller.
Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR. If information that seems to relate to a particular individual is inaccurate (i.e. it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual. However, information which is truly anonymous is not covered by the GDPR.
DISCLAIMER: This blog post does not constitute legal advice. It is a reflection on the thoughts and opinions of members of the SeekLayer team.