The Data Protection Act is one of the worst names pieces of law (although not as bad as “verbal injury to a business”, which can be in writing!).
It has nothing to do with protecting data. Rather, it protects personal data. That’s information about living people. Not drawings, not prices, not software code.
The GDPR’s definition of personal data is now much broader than previous legislation: “Personal data means any information relating to an identified or identifiable natural person (‘data subject’)”.
The broadening of the definition has meant that under certain circumstances, personal data now includes online identifiers such as IP addresses and mobile device IDs.
By itself, the name “John Smith” may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, a photograph or a telephone number) this will usually be sufficient to clearly identify one individual.
Do not fall into the trap of assuming that you require a name before you can identify someone. Simply because you do not know the name of an individual does not mean you cannot identify them. You might not know the names of all your neighbours, but you can still identify them! A good example of personal data would be CCTV footage. If you have a camera covering your reception area, then you are gathering personal data if you are monitoring and recording any images.
It is crucial to know what is meant by personal data before you carry out your initial audit. If there is any doubt, then it is safer to err on the side of caution and assume it is personal data and take all necessary steps to protect that data.
From a business risk point of view, you need to be taking all steps to minimise risk. An easy way to do that would be to follow the data protection principles, of ensuring that data is held securely, only the bare minimum of information that you require is retained and also it is only retained for no longer than is absolutely necessary. The GDP has introduced the concept of ‘pseudonymous data’ which is personal data that has been subjected to technological measures (for instance, hashing or encryption). This is a good way to minimise the risk, because if there is a breach, then the data being lost is unlikely to meet the definition of personal data.
If you are in any doubts, then please contact our data protection team.
Time is running out, the GDPR will come into force on the 25th May 2018, don’t get caught out! Click here to read our 12 steps to GDPR compliance.
The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.