The ubiquitous nature of the GDPR
Ever since the promulgation of the GDPR back in 2016, many companies have been ignoring the scope of the legislation and their obligation to comply with it.
The acronym stands for General Data Protection Regulation and the act itself applies to personal data processing, as the name might suggest. Quite often, many CEOs and project managers tend to disregard the importance of the GDPR, convinced that the regulation does not apply to their companies since their main activities revolve around, say, commerce or consulting. However, the assumption could not be farther from the truth. Regardless of the type of business, a company most likely processes personal data. Storing employees’ personal information, email addresses, or customer data is all it takes to become a data processor.
The real scope of personal data extends beyond the information that expressly relates to natural persons. Adopting the broader definition of personal data outlined by the European Union may have many consequences for a company, both positive and negative. To have a better understanding of them, we should take a closer look at the notion of personal data. In this article, we will provide you with a brief description of the basic components and explain how they work together to frame the concept of personal data.
Personal data 101
There is no consensus about what personal data is exactly. The perception differs depending on the legal system. In the USA alone, personal data can mean different things, varying from state to state. Most likely, the majority of states define personal data as “personally identifiable information” or PII (Voss, & Houser 2019). Unlike in Europe, privacy is not a fundamental right in US legislation. Therefore, special rules regarding personal data only apply to specific industries (Voss, & Houser 2019). In Europe, the GDPR defines personal data as “any information relating to an identified or identifiable natural person directly or indirectly” (EU, 2016). This concept can be broken down into four elements: information, relating to, an identified or identifiable, and natural person (WP, 2007). We will now explain these elements.
Let’s define the elusive concept of “information”. The definition of information is a bit controversial as it can be interpreted in many ways. The safest option is to think of information as a combination of two elements: data and meaning (Purtova, N. 2018). Data is described as “facts and statistics collected together for reference or analysis” (Lexico, 2020). But data without context is nothing more than a collection of facts. Thus, data plus meaning becomes information.
The European Court of Justice has stated that the phrasing used by the legislator (i.e. “any information”) provides a wide scope for personal data. Thus, the concept is not limited to strictly related information which allows any kind of information to become personal data, regardless of its nature, format, or context (ECJ, 2017).
This element refers to the link or connection between the information and the individual. This connection could be described in terms of content, purpose, or result (WP, 2007). We’re dealing with relations based on content when a piece of information can be used to simply identify an individual (like a name in a passport). A purpose-based relationship is a situation in which information is used to evaluate or influence the status of an individual. When a particular use of information has an impact on the rights or interests of a person, that’s a case of a relationship based on the result (WP, 2007).
An identified or identifiable natural person
The data protection legislation defines this as any person “who can be identified, directly or indirectly” (EU, 2016). Under recital 26 of the GDPR, “identifiable” or “identified” can be understood as the possibility of becoming identified by any third party (EU, 2016). The Court has expressed that identifiability is not just a result of information allowing for identification per se. It also means the possibility of being identified indirectly, due to the addition of more information (ECJ, 2016). Nonetheless, it is important to highlight that the sheer possibility of being identified is not enough to consider someone identifiable since, as the legislation states, other factors need to be considered for this to happen, such as the cost of technology development or manpower (EU, 2016).
What does all this mean?
Although this concept might seem to be difficult to understand for people with no legal training, all it means is that any piece of information that could be used alone or in combination to identify a person can be understood as personal data. Still, that does not mean the matter is not complex. For example, in a contest held in 2006, Netflix published over 100 million ratings from almost 500,000 randomly selected customers. The company claimed to have removed identifiable information from its database, which was considered enough for the reviews to not be personal data. However, a study proved that by combining Netflix’s information with Amazon reviews through exact matches and similarity scores, the personal data of Netflix’s users was unraveled, revealing full names and consumer habits (Archie, Gershon, Katcoff & Zeng, 2015). This leads to considerable uncertainty as to what kind of data is personal. Some legal practitioners believe that the vast majority of information can, in fact, be personal.
What should you do if your company handles information that could be considered personal data?
First of all, you have to be aware you cannot process personal information without a legal basis. There are several legal bases for processing data, i.e. Consent, Performance of a Contract, Legitimate Interest, Vital Interest, Legal Requirement, or Public Interest. Depending on the business profile, one of them should apply to your company’s activity. And no matter which one it is, you always have to remember the key aspect of processing personal data - security.
Every single day, literally thousands of data leaks occur all over the world. That’s exactly why the GDPR and nearly every other privacy legislation stress the importance of data security. What it means is data should be stored in a safe network, inaccessible to any unauthorized party. What’s most problematic as far as data storage is concerned is the fact that data is usually stored in a centralized cloud, vulnerable to hacking. Iagon solves this problem by providing a tool to ensure that any type of data, whether it’s personal or not, is encrypted, sharded, and distributed among our highly secure nodes. Not only does this guarantee high-quality security (meaning it’s extremely difficult for any unauthorized party to access the data), but it also allows for complete compliance with any privacy legislation.
In the EU, you need to comply with the GDPR. In the USA, you need to comply with the privacy act that applies to your state. Generally speaking, in most countries around the globe, there is some privacy regulation that needs to be considered when storing data. To tackle this, Iagon provides a fully customizable tool that can be adjusted to suit the majority of privacy frameworks.
Doubling down on security
Anonymized data is the opposite of personal data. It could be defined as data that cannot be related to an individual. This is achieved in the process of anonymization, i.e. altering personal data by removing the connection between the data and the individual. (Voigt, & Von dem Bussche 2017)
Technically speaking, anonymization can be achieved in two ways. One of them is randomization. This method relies on altering the accuracy of data to remove the link between the data and the individual, thus making the data obscure. The other method is generalization, which dilutes the characteristics of the data subjects by modifying the order or scale of data collection (going for an entire region rather than just a city or a month instead of days, etc.) (Voigt, & Von dem Bussche 2017). However, as exemplified by the Netflix case, sometimes anonymization is not enough to escape the traps of privacy regulations.
Pseudonymization is characterized by a different approach. Its purpose is to process data in a way that makes the identification of an individual impossible without specific additional information (like a key needed to open a lock). The bits of information must be encoded or kept separately. What’s important, information that has gone through the process of pseudonymization still falls under the concept of personal data (Voigt., & Von dem Bussche 2017). We need to keep in mind that pseudonymization is not about simply deleting “traditional” information bits such as names or addresses. For that reason, it’s imperative that data is processed and stored safely (Millard & Hon, 2012).
Theory into practice
We hope we helped you get familiar with the concept of personal data. Its theoretical and legal aspects go far beyond the scope of this short article as the matter is considerably complex. If you’re more interested in the practical application of all this information, follow our blog and social media channels. We’re planning to release some guidelines that should make understanding the application of the GDPR and other privacy frameworks in the business environment a bit easier.
Table of reference
- Archie, M. (2015), Gershon, S., Katcoff, A., & Zeng, A. De-anonymization of Netflix Reviews using Amazon Reviews.
- Data (2020). Lexico. Retrive from https://www.lexico.com/definition/data
- European Court of justice (2016) Case C-582/14, Patrick Breyer v. Bundesrepublik Deutschland
- European Court of justice (2016a)Joint cases C-141/12 and C- 372/12 YS and M. and S. v Minister of Immigration, Integration and Asylum
- European Court of justice, (2017)Case C-434/16 Peter Nowak v Data Protection Commissioner
- European Union (2000) Charter of fundamental rights of the European Union (2000/C364/01)
- European Union (2012) the treaty on the functioning of the European Union 2012/C326/01
- European Union (2016 )Regulation (2016/679)
- Ohm, P. (2009). Broken promises of privacy: Responding to the surprising failure of anonymization. UCLA l. Rev., 57, 1701.
- Purtova, N. (2018). The law of everything. Broad concept of personal data and future of EU data protection law. Law, Innovation and Technology, 10(1), 40-81.
- Millard, C., & Hon, W. K. (2012). Defining ‘personal data’ in e-social science. Information, Communication & Society, 15(1), 66-84.
- Voigt, P., & Von dem Bussche, A. (2017). The eu general data protection regulation (GDPR). A Practical Guide, 1st Ed., Cham: Springer International Publishing.
- Voss, W. G., & Houser, K. A. (2019). Personal Data and the GDPR: Providing
a Competitive Advantage for US Companies. American Business Law Journal, 56(2), 287-344.
- Working Party (2007) Article 29 opinion 4/2007 on the concept of personal data.
- Zarsky, T. Z. (2017). Incompatible: The GDPR in the age of big data. Seton Hall Law Review, 47(4), 995-1020.