Given the volume of data that organisations are gathering about their customers, the question of what is identifiable becomes important. An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals. But what does that mean? Let us consider the following example. A name is perhaps the most common means of identifying someone. However whether any potential identifier actually identifies an individual depends on the context. A combination of identifiers may be needed to identify an individual. Just a name may not be enough. Consider the name Pat Murphy. How many Pat Murphys are there in Ireland? We would need more to identify someone in this case. Luckily GDPR provides a non-exhaustive list of identifiers, including:
- ID number;
- location data; and
- an online identifier, such as IP addresses and cookie identifiers which may be considered personal data.
- Other factors can identify an individual. Ok, so this one is not so helpful, but consider all the sources of data that you have and see which lead to potential identifiability. Email addresses, social network identifiers, etc..
Assuming these points, then the question becomes, can you identify an individual directly from the information that you or your organisation holds?
By considering all the information you are processing (or have access to process) about individuals, then if you can distinguish an individual from other individuals, that individual will be identified (or identifiable). If you have a customer name and address/phone number. That individual is identifiable. Consider the representation of an individual on a CCTV camera, that is likely also to be considered to be identifiable data.
You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual. Even age and address may be sufficient, or just an ID number. It is important to be aware that information you hold may indirectly identify an individual and therefore this could reasonably constitute personal data.
However, as with many legal and regulatory issues, it gets more complex. Even if you may need additional information to be able to identify someone, they may still be identifiable. Consider the fact that there is information that may be obtained from another source. Yes, it is kind of hypothetical, but in some circumstances there may be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identifies the individual. However, this is not necessarily sufficient to make the individual identifiable in terms of GDPR. You must consider all the factors at stake.
However, in any case, you have an obligation to consider the identifiability of individuals in your data and make appropriate arrangements and protections. It is also important to consider the potential for identification to change over time (for example as a result of technological developments). Hence, at SeekLayer, we have developed the Face404 system that actually provides support to redact and remove identifiable faces from CCTV video, which is required if you are ever releasing or otherwise using CCTV video, even if the use is for in-house activities such as training.
As in all cases, you should seek legal advice if you are unsure of your rights and/or obligations under data protection laws.
DISCLAIMER: This blog post does not constitute legal advice. It is a reflection on the thoughts and opinions of members of the SeekLayer team.