Is encrypted data personal data under GDPR

Almost all of our interactions with organizations involve an exchange of personal data. Examples include name, phone number, and address.

One of these pieces of data may not be enough to identify an individual. However, when collected together, they can identify a particular person and therefore constitute personal data. This is why it is often referred to as personally identifiable information or PII.

Data ceases to be personal when it is made anonymous, and an individual is no longer identifiable. But for data to be truly anonymized, the anonymization must be irreversible.

Data that has been encrypted de-identified or pseudonymized but can be used to re-identify a person is still personal data.

The GDPR exists to protect our personal data on all levels. It is protected on all platforms, regardless of the technology used, and it applies to both manual and automated processing. Personal data laws also apply regardless of how the data is stored, be it an IT system, paper, or video surveillance.

• The GDPR And Personal Data
• The Definition of Personal Data
• Examples of Personal Information
• GDPR Identifiers
• How Organisations Should Handle Personal Data
  • Pseudonymization
  • Encryption
• The Importance Of Context 
• Sensitive Data
  • Processing Sensitive Personal Data
• The GDPR And Consent
• Personal Data Breaches

The GDPR And Personal Data

The GDPR was launched in 2016, intending to provide one set of privacy laws for the European Union.

The GDPR provides guidelines for organizations and businesses regarding how they handle information that relates to the individuals with whom they interact. It has made it easier for the citizens of the European Union to understand their rights when it comes to their personal information, and it should be used.

This is important because technology is changing faster than ever, and personal data is evolving with it. The smartphone has become central to the modern world, and almost half of the world’s population has social media accounts.

This has drastically changed the nature of the personal information that we share. It now includes biometric data, like fingerprint identification and retina scans, and location data from IP addresses and Google Maps. For this reason, our personal information is more vulnerable than ever.

The Definition of Personal Data

Personal data is central to the ethos of the General Data Protection Regulation (GDPR). However, some people are still unsure of what ‘personal data’ specifically refers to.

The basic definition of personal data is any information relating to an identified or identifiable natural person (data subject).

In other words, any information that obviously relates to a particular person and can be used to identify them.

The GDPR states that data is classified as “personal data” an individual can be identified directly or indirectly, using online identifiers such as their name, an identification number, IP addresses, or their location data.

And if these online identifiers give information specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

In some circumstances, even information related to a person’s job, hair color, or political opinions could be classed as personal data. Usually, this comes down to the context in which the data was collected and whether a data subject could be directly or indirectly identifiable.

Examples of Personal Information

The definition of personal data is any information relating to an “identified or identifiable natural person.” When most people think of personal data, they think of phone numbers and addresses; however, personal data covers a range of identifiers.

• Name and surname.
• Email address.
• Phone number.
• Home address.
• Date of birth.
• Race.
• Gender.
• Political opinions.
• Credit card numbers.
• Data held by a hospital or doctor.
• Photograph where an individual is identifiable.
• Identification card number.
• A cookie ID.
• Internet Protocol (IP) address
• Location data (for example, the location data from a mobile phone).
• The advertising identifier of your phone.

Personal data relating to GDPR does not cover:

• Information about someone who is deceased.
• Properly anonymized data.
• Information about public authorities and companies.

GDPR Identifiers

A person can be identified if they are distinguishable from another individual. The GDPR asks companies to consider:

• If they can identify an individual person just by looking at the data they are processing.
• That you don’t need a name to identify a person, it could be a combination of other pieces of data that act as the identifier.
• How they assess the data they are processing and if another could feasibly use it to identify a person.
• Whether there is a future likelihood that the data could be used to identify someone.
• The data content and whether it’s about the person or what they do.
• The reason they are processing the data.
• The possible effects on the person from the data processing.

How Organisations Should Handle Personal Data

All organizations should err on the side of caution when it comes to processing personal data.

The GDPR suggests that they should ensure that the processing of any personal information is limited to what is necessary.

Organizations should only keep this data for as long as it meets its purpose. They should also try to pseudonymize and/or encrypt this information – especially if it is classed as sensitive data.

Pseudonymization

Pseudonymization is when data is masked by replacing any identified or identifiable information with artificial identifiers.

Although it can be a great way to protect the security and privacy of personal data – pseudonymization is limited. Even though pseudonymous data will not identify a person directly, they can be indirectly identified relatively easily.

Some examples of this type of personal data include

• An internet user name, such as a name used to post to an online discussion forum.
• Any social networking data, such as a person’s friend list and login information.
• Internet user-generated data – data that is knowingly generated by an individual, such as discussion forum posts, internet searches, and personal data that they input into their social networking profiles.
• RFID codes (radio frequency identification)- RFID chips will usually include an identifiable unique number, which individualizes any property to which it is attached and can therefore be used to identify someone.
• Unique identification numbers on personal devices. For example, Mac addresses, IP address, Bluetooth number, International Mobile Equipment Identity (IMEI) number, or Near Field Communication number.

Encryption

Encryption works in a similar way to pseudonymization. It obscures personal information by replacing unique identifiers with other data.

But unlike pseudonymization, which allows any person who has legal access to the data to view part of the data set, encryption only allows approved users to view the complete data set.

The GDPR states that encryption and pseudonymization can be used together or separately, and many organizations choose to use both methods to protect their data subjects.

The Importance Of Context 

It is normal for organizations to collect a number of different types of personal data. It is important for them to consider that even if one piece of information doesn’t identify an individual, it could become relevant when combined with other information.

For example, the data controller at an organization might ask their customers what their occupation is, and with this information alone, it would not be possible to identify them. Therefore, this information alone does not fall under the scope of personal data according to the GDPR because a job title is not usually specific to one individual person.

However, if the data controller also asks them what company they work for, these pieces of information combined could narrow down the number of natural, living persons at a company with a particular occupation and possibly identify a person. In other words, if you refer to an individual who has a specific job title at a certain company, there may be one person who fits that description.

Of course, this is not always the case, for example, if you know that a person is a barista at Starbucks, it’s unlikely that you would be able to identify them, and therefore, these two pieces of information together wouldn’t be considered personal data according to the GDPR.

Sensitive Data

Although the terms “personal data” and “sensitive data” are often used to describe the same thing, the GDPR makes a clear distinction between these two terms.

According to the regulation, sensitive data is a set of special categories that should be handled with extra security. These special categories are:

• Ethnic or racial origin.
• Political opinions.
• Cultural or social identity.
• philosophical or religious beliefs;
• Trade union memberships.
• Genetic data.
• Biometric data (that can be used to uniquely identify someone).

Processing Sensitive Personal Data

There are some extra rules when it comes to processing sensitive personal data. You are required to document a lawful reason for processing this information under Article 6 of the GDPR.

According to Article 6, organizations must have:

• A valid contract with the individual – For example, an employment contract or a contract to supply goods or services.
• A legal obligation – The organization could be legally required to process the data.
• A public task – This includes official functions or tasks in the public interest. For example, schools and other educational institutions, public authorities such as government departments, hospitals, and law enforcement agencies.
• Legitimate interests – An organization may have a legitimate and genuine reason (such as a commercial benefit) to process personal information without consent.
• Consent – If the data subject agrees to the processing of their data, after being given when a clear and honest explanation of the reason for its collection and what it will be used for.

The GDPR And Consent

There is a common assumption that according to the GDPR, all organizations must obtain consent in order to process personal data, but this is not the case.

Consent is just one of the options that companies have, as this article has shown, and in fact, it is not always the best option. Individuals can withdraw content at any time, and as a result, complications can arise.

When organizations don’t take the time to study the GDPR compliance requirements, they can be tripped up, and this has the potential to cause lasting damage, from regulatory fines and enforcement action to loss of customers and negative press.

Personal Data Breaches

The GDPR sets out very strict guidelines with regard to personal data and how it is used.

If any information relating to another person is accidentally or unlawfully lost, altered, disclosed, destroyed, or accessed, this is classed as a Data Breach.

Personal data is a key aspect of online identity, but unfortunately, it can be exploited. Some individuals might alter personal data to hijack mailboxes, create fake documents, and use people’s contact information to harass them.

They might even commit Financial Identity Theft, which usually involves credit card and bank account details being stolen to be used or sold. In other cases, personal data that has been breached is used to create false online identities, such as fake social media profiles.

This is commonly referred to as Identity fraud or Identity Cloning.

Once an individual has access to certain personal data such as your name, date of birth, ID documents or Social Insurance Number, and passwords, they can use them to log in to different websites in order to access even more information that they can use to their advantage.

Personal data breaches are not always a result of cybercriminals hacking into a company system.

In fact, many of these incidents occur when an employee accidentally makes personal information public.

This could be through an email that was sent to the wrong person, a technical error on the company’s webpage, or losing a laptop or another personal device that contains personal data.

What does GDPR say about encryption?

What is considered as personal data under GDPR?

Which data is not considered personal data under GDPR?

What does encrypt personal data mean?