GDPR
General Data Protection Regulation
Personal Data
Personal Data
- Understanding whether you are processing personal data is critical to understanding whether the UK GDPR applies to your activities.
- Personal data is information that relates to an identified or identifiable individual.
- What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
- If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
- If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
- Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.
- When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.
- It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller.
- Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of UK GDPR.
- Information which is truly anonymous is not covered by the UK GDPR.
- If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual.
Breaches
Breaches
The Data Controller has 72 hours to alert the ICO in the event of a GDPR breach.
Fines of up to £8.7 million, or 2% annual global turnover – whichever is higher, for infringements of an organisation's obligations (e.g. data security breach).
Fines of up to £17.5 million, or 4% annual global turnover – whichever is higher, for infringements of an individual's privacy rights.
General Guidelines
General Guidelines
Always delete personal data that you no longer require.
Don't keep personal data locally, only on secured shared drives or in a database.
Don't update personal data without explicit permission.
Don't share login details as this will corrupt any audit trail.
Don't share personal data with those not authorised to see it.
GDPR Subject Access Request (SAR)
GDPR Subject Access Request (SAR)
Bibliography
Bibliography
(1) https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/ (May 2022)https://www.legislation.gov.uk/eur/2016/679/contentshttps://www.legislation.gov.uk/eur/2016/679/article/9
https://edpb.europa.eu/system/files/2021-09/dpc_final_decision_redacted_for_issue_to_edpb_01-09-21_en.pdf (WhatsApp, Aug-2021 - €225 million fine)https://www.theverge.com/2021/7/30/22601661/amazon-gdpr-fine-cnpd-marketplace-antitrust-data (Amazon, Jul-2021 - €746 million fine)