Broadly, the General Data Protection Regulation (GDPR) applies to data about an individual, which it calls 'Personal Data'. As well as this personal data, the regulation also identifies a number of specific areas of personal data for further consideration.
The GDPR primarily applies to personal data, which it defines in A4.1 as:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
That's a hugely broad set of data and it's much more than the obvious things like address, gender, date of birth, etc. In short, it covers pretty much any data about a person.
This personal data is not just data about your individual customers, this is any individual's personal data that's collected or processed anywhere in your business, e.g.
- Individual customers
- Individuals working for customer companies
- Individuals working for your suppliers and partner organisations
- Your own staff (e.g. HR data)
Pseudonymised data, i.e. data that has had obvious personal identifiers (e.g. first name and last name) can also come under the GDPR depending on how hard it is to infer the identity of an individual from that data.
For example, removing the name of a person from a customer record might not be enough if their job title then uniquely identified them by virtue of them being the only person to have been employed in that position at that customer company at that time.
Sensitive personal data
Article 9 of the GDPR identifies certain categories of Personal Data that should be treated with additional care. It issues a blanket ban on the processing of these types of data as follows:
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
The above does not apply however, if the individual has specifically given permission for the processing to occur, or under a few other very specific circumstances.
Data relating to criminal convictions
Article 10 introduces separate , specific rules for this type of data. Were focussing on small and medium sized organisations (i.e. SMEs) for this guide, so we're not going to look at this area further, but there's lots of information in Article 10.
Data about children
The GDPR makes special provisions for the processing of children's data. Again, that's not something we imagine will affect too many SMEs, but there's lots information about this in the ICO documentation.