GDPR Bitesize: Personal Data and Sensitive Personal Data

Posted on: 24th January 2018

personal data

In terms of GDPR, personal data means any information relating to an identified or identifiable natural person.

This bitesize article references the official ICO GDPR document, which you can read in full here.

What is an identifiable natural person?

An identifiable natural person is someone who “can be identified, directly or indirectly, by factors such as; a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Note that personal data also includes any expression of opinion about an individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Pseudonymisation and anonymisation

Despite the unnecessarily long name, pseudonymisation means replacing ‘obvious’ personal details with a separate unique identifier, typically generated through some kind of hashing, encryption or tokenisation function.

For example, “Pyranet IT Solutions bought item x” could be pseudonymised to “Visitor 15364 bought item x”.

Pseudonyming can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Anonymising Data

Personal data ceases to be classed as personal data if it has been irreversibly anonymised, meaning it can therefore be retained and used by the company.

In some cases, it is not possible to effectively anonymise data, either because of the nature or context of the data, or because of the use for which the data is collected and retained. Even in these circumstances, organisations might want to use anonymisation or pseudononymisation techniques.

Sensitive personal data

The GDPR refers to sensitive personal data as “special categories of personal data”.

This relates to information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.

However, personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.

As with general personal information, there are a number of circumstances that enable the processing of sensitive personal data without consent.

However, if consent is used as a way to process such data, it is important to note that the Act requires explicit consent. It is always preferable to have explicit consen

t in order to process sensitive data, and this should always be obtained if it is possible to do so, even if another processing condition could apply.

Automated Data and Manual Data

The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

 Want some advice, or feel like you could benefit from our cyber security and GDPR services? Click here.