GDPR is a Data Privacy and Data Protection law that needs to be interpreted rightly to achieve Compliance. While Personal Data is the core aspect of the Regulation, many are still unsure about whether or certain information meets the GDPR’s definition of personal data. While there is no definitive list of what is and what is not personal data, determining one can be tricky. So, all that it comes down to, is interpreting the GDPR’s definition of personal data rightly. Today’s article is about understanding GDPR’s definition of Personal Data and interpreting it right. So, let us first learn what Personal Data is and understand the context of it in the GDPR Regulation.
What is Personal Data as per GDPR Regulation?
GDPR Article 4, provides the following definition for “personal data”- Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Source ( https://gdpr-info.eu/art-4-gdpr/)
Personal data covers a broad category of information as defined in the GDPR Regulation. Let us take a closer look at the definition to understand the core elements of the definition a little better
- Any information- Any piece of data comprising of subjective and objective information and not limited to any particular format like video, audio, numerical, graphical, and photographic data can contain personal data.
- Related to Identifiable or identified data – Information relating to an individual that helps identify them can be considered as identifiers or identifiable data.
- Natural person– Natural person can be any individual who is alive and is not a company which is by law sometimes considered a “legal person”.
- Data subject– A controller or processor who holds personal information and who can be identified, directly or indirectly, by reference to that personal data (Article 4(1), GDPR).
- Identify individual directly or indirectly- An individual can be identified directly with certain information in hand or indirectly by using the information they possess and other additional information that they may get access to from another source. So, basically, any information that can lead to direct or indirect identification of an individual will likely be considered personal data under the GDPR.
Source (https://gdpr-info.eu/)
Understanding these concepts are crucial for it helps organization in identifying personal data and determining data that falls in scope of GDPR.
GDPR Personal Data List
| PCI DSS v3.2.1 | PCI DSS v4.0 |
|---|---|
| Requirement 6.5 addressed common coding vulnerabilities in software-development processes. | The updated requirement of PCI DSS v4.0 is now 6.2.2. |
| - It required developers to be trained at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities. | It focuses on "bespoke and custom software" and mandates annual training for developers working on such projects. |
| -It also required applications to be developed based on secure coding guidelines. | This training covers software security related to their roles, development languages, secure design, and coding techniques. |
| -The verification process involved examining software-development policies and procedures, records of training, and verifying that processes are in place to protect applications from certain vulnerabilities. | Additionally, it includes learning how to use security testing tools for detecting software vulnerabilities. |
| The verification process involves checking development procedures, training records, and interviewing personnel to ensure relevant training in line with job functions and languages. |
Information not considered as Personal Data under GDPR Regulation
| PCI DSS v3.2.1 | PCI DSS v4.0 |
|---|---|
| PCI DSS v3.2.1 Requirement 6.3.2 mandated review of custom code before release to identify potential vulnerabilities. | PCI DSS v4.0, Requirement 6.3.2 is renumbered to 6.2.3 with a new sub-requirement 6.2.3.1 for manual code reviews. |
| - It required code changes to be reviewed by others than the author, following secure coding practices. | It now specifically targets “bespoke and custom software” for review before release to identify and correct potential coding vulnerabilities. |
| - Code had to adhere to secure coding guidelines and any corrections were to be made before release. | - Code reviews still follow secure coding guidelines and look for both existing and emerging software vulnerabilities. |
| - The results of the code review had to be approved by management. | - Corrections are implemented before release. |
| - Verification involved examining software-development procedures and interviewing personnel. | - Verification involves examining procedures, evidence of changes, and interviewing personnel. - Manual code reviews have similar requirements under 6.2.3.1. |
Final thought – Understanding the context is critical
Personal data covers a vast category of information. So, it ultimately boils down to understanding the context and interpreting the definition of Personal Data under GDPR appropriately. The information shared above in this article is not an exhaustive list, but a guide to help you understand some of the concepts for determining whether the data processed is Personal Data under the GDPR Regulation.
At this point, understanding the context is very important. Organizations often collect different types of information about people. Even though the piece of data individually may not lead to identifying a person, but it could be a piece of information which along with other information could lead to identifying an individual. This way, the data collected by the organization may fall in the scope of the GDPR Regulation, requiring the organization to comply with requirements.
The more data gets combined and aggregated, it is more likely that the data may fall in the scope of GDPR as Personal Data. This will make things more difficult for organizations, especially for de-identifying data which may ultimately result in higher risks and responsibilities and further lead to potential GDPR fines and penalties.
So, it is recommended that organizations looking to achieve GDPR compliance, should approach a qualified DPO for assistance to determine whether your organization is on the right track. We at VISTA InfoSec have the expertise, knowledge, and experience of helping organizations achieve compliance. Our experts can guide your organization in the classification of data and help you in the journey of compliance. For more details on VISTA InfoSec, you can visit our site www.vistainfosec.com
Related Posts:
- What is GDPR Data Flow Mapping
- GDPR Data breach Fines and Penalties
- A Guide to GDPR Compliance Audit
- Why is GDPR Risk Assessment essential for Compliance?
- GDPR Compliance In Canada For Canadian Business
Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
