With the implementation of new General Data Protection Regulation (GDPR), companies need to educate themselves about what exactly is required of them to avoid substantial fines. In order to maintain compliance with the new regulations, organisations need to understand precisely the definitions included in the rhetoric released in the GDPR articles. The definition of ‘Personal Data’ is of particular importance as the rules of GDPR rest entirely on how companies interact with personal data. Having an accurate understanding of personal data could be the difference between compliance, and incurring a fine of up to 4% of your global revenue.
The definition provided for personal data in the GDPR Article 4 reads: “‘Personal data’ means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”. This is a dense definition but it is vital that companies interrogate it to understand in what way it applies to them. Personal data is any information about a living individual that can be identified, that comes into contact with a company. Any data that falls outside of this definition is not personal data and is not subject to data protection regulations. This definition, however, does encompass a number of personal identifiers such as name, identification number, and location data or online identifier. The new regulations understand how companies collect the personal data of individuals and the importance of protecting the rights of the individual. The updated regulations allow for the modern methods used by organisations to collect personal data.
Sensitive Personal Data
Subcategories of ‘Personal Data’ exist which include ‘Sensitive Personal Data’, found in Article 9 of GDPR, which deals with “special categories of personal data”. This category within personal data is subject to additional protections. Articles 9 in GDPR defines it as data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data”. Organisations need stronger grounds to process this sensitive personal data. Under new regulations, the major change is with regards to the biometric and genetic data which are now specifically referred to as sensitive personal data. Any organisation that processes or controls data of this nature will be subject to additional restrictions and protections.
What organisations should do to prepare
It is paramount that companies and organisations take time to prepare for the introduction of GDPR on 25th May 2018. This begins by understanding the revised definitions for key terms like Personal Data. Companies need to evaluate how data protection regulations affect them and what changes they need to make to their processes. The new regulations need to be reflected in their policies, procedures and documents that are deemed relevant. Data protection language should be used in standard agreements and all internal policies that engage with data protection issues should be reviewed to ensure that they comply with the implementation of GDPR. This is where Asystec comes in. If your company engages with personal data and you are unsure how to effectively prepare for new GDPR, Asystec can do all the groundwork for you. Asystec provides your organisation with reliable advice on data protection tailored to your GDPR needs. It is necessary that companies understand how they fit into the GDPR picture and Asystec ensures that you meet every criterion asked of you under new regulations. Change and improvement are unavoidable under GDPR, make sure you are making the right changes with Asystec.