What is personal data? Ownership, processing and security

What is personal data?

In order to understand what personal data is, let’s start with a definition. Personal data is defined by the EU in the General Data Protection Regulation as:

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016

In other words, personal data is all information that can be used to identify an individual. According to this definition personal data spans a variety of different informations, including:

A name

A photo

E-mail address

Information about a person’s ethnicity

A sound file

IP address

Criminal record

Social Security Number

The list of personal data is therefore potentially inexhaustible.

Any information related to an identified or identifiable individual is personal data. Information such as data about congenital diseases of an individual’s grandparents is also personal data.

The GDPR does, however, differentiate between different types of personal data, that need to be processed or handled under less and more restrictive conditions:

General personal data

These include personal data such as names, e-mails, addresses, place of employment etc. They are factual information that are often publicly available.

Sensitive personal data (‘special categories of personal data’)

Such as health data, ethnicity and sexual identity. These types of data are very personal and need to be processed with extra care.

Social security numbers and criminal record (‘special categories of personal data’)

Governmental information such as social security numbers and criminal records are also a part of special categories of personal data. By some EU countries these are considered a separate category, as they involve classified or protected information that need to be more guarded than even traditional sensitive personal data.

What is the GDPR (General Data Protection Regulation)?

The GDPR, or General Data Protection Regulation, is a regulatory framework and directive in EU law on data protection and privacy in the European Union and the European Economic Area. It applies to all personal data, as well as the transfer of personal data outside the EU and EEA. It was implemented in 2018.

Its official name is:

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

What is personal data in a business perspective?

Personal data is ultimately the most valuable information that businesses collect and process. Without this data it’s not possible to run a business in such a digitalized world.

On a consumer level, people would not be able to use today’s digital options, i.e. setting up a bank account, getting a package delivered or in any way buying vital digital services without the release of some form of personal data. There are, of course, certain providers of services and products that don’t need personal data – for example, if you buy a hotdog at a vendor and pay in cash.

With the exception of examples as above, the majority of interactions between individuals and businesses are based on some sharing or exchange and processing of personal data. The increasing digitalization of society and the use of personalized data also gives rise to better and more targeted services. For that reason the exchange of personal data can be considered necessary, or even essential, for both consumers and businesses.

The rules for how businesses process personal information are quite extensive and cover, among other things, the secure storage of personal data.

What is processing of personal data?

The processing of personal data refers to activities such as the collection, storage, use, transfer, security and disclosure of personal data. Any activities relating to personal data, from the planning of the processing to the removal of personal data, constitute processing of personal data.

When a company processes data, there will always be a need for a data processor and a data controller. These two roles are not the same, but are both necessary to have. In the following you can find a definition of each role and what it entails.

A data controller is a person or an organization that determines the purposes and means of processing personal data. A data controller can be an association that collects information about its members, a hospital that processes patient records, an online shop or a social media service.

A data processor is a person or an organization that processes personal data on behalf of a controller. A data processor could be an agency that handles some processes of another company, or an IT service provider that has access to the personal data collected by the data controller.

When can businesses process personal data under GDPR?

The GDPR – and subsequent local laws – applies the moment businesses ‘process’ personal information. But, as mentioned earlier, the processing of personal data can take many forms. Because the definition is so broad, it in reality occurs the moment a business comes into contact with personal information.

According to the definition of GDPR, processing of personal data applies to all the ways in which you handle personal information. This includes collecting, recording, organizing, systematizing, storing, editing, altering, searching, using, sharing, transmitting, securing, disseminating, deleting – and much more.

Verification of information

A specific example could be when businesses need to verify that a given name actually belongs to a person. The business extracts the verification data from a network that the person uses – or from additional data sources that have the authority to verify the truthfulness of the information. This is especially relevant to businesses who are subject to the Anti-Money Laundering (AML) Directive.

If just one type of the above actions occurs, it’s considered processing under GDPR. In order to live up to EU law, all businesses should consider it data processing the moment they come into contact with personal data.

Who owns personal data?

Who owns personal data after collection?

GDPR marked a foundational shift in how broader society views data ownership. Before, it wasn’t necessarily clear who actually owned the data after it had been exchanged between two parties. User rights and the right to gain insight into what personal data is stored by businesses was often unclear.

GDPR helped to clarify these issues and principles. It was determined that the one who owns personal data is the person represented by the information. Businesses are allowed to process and use the given data but the ownership and rights will always belong to the registered party.

Data belongs to the person represented by the information.

The rights of private individuals

What rights do private individuals have in relation to their personal data?

The shift created by GDPR – which clarified the ownership rights of data – lead to that the registered persons gain the right of access, or subject access, to the data stored by businesses about them. A right that, of course, is also important for businesses to understand, as they are required to live up to the laws and regulations.

With the exception of certain outlier cases, private individuals have the right to contact businesses that they believe are processing or storing personal data and gain insight into what data they possess; for what purpose they consider valid for processing your personal data; and when consent for this type of processing was given.

This new understanding of data ownership leads us to the six principles for how businesses should process personal data. Find the definition of securing personal data, and read more below.

Secure processing of personal data

Fundamentally, GDPR requires businesses to protect both internal personal data (on e.g, employees) and external personal data (on e.g. other clients, business partners, criminals), using sufficient security measures.

It’s up to each business to assess which safeguards that apply to different situations.

Businesses typically divided these security measures into two categories:

Technical security measures	Organizational security measures
Among other things, strong firewalls, on-going updates of codes and systems, encryption and a strong IT-infrastructure.	Among the other described procedures, businesses can enact organizational security measures such as clear policies for personal data, security access, courses in correct data processing, and the further education of employees.

If you’re handling sensitive personal data (as defined above), you need to implement more strict security measures. The chosen measures are based on the risk assessment, which is a part of the GDPR’s risk-based approach to data protection.

Here’s how to get started with personal data under GDPR (The 6 Principles)

Are you interested in the underlying principles of GDPR, you can read Chapter 2, Article 5 of the General Data Protection Regulation.

This outlines the six founding principles for how businesses need to approach personal data. We’re going to explain each one here:

1. ‘Lawfulness, fairness and transparency’

Your business needs to be transparent with clients and customers about how you process their personal data. For example, the language in written communication, such as e-mails, needs to be clear and easy to understand. The clients need to know what is happening – and why. Avoid obtuse language or extensive technical jargon and set time aside to develop good, legible templates to use in the future.

All processing of personal data needs to be fair, secure and based on best practice (for example, by using the best available technology).

And lastly, your processing of personal data needs to be lawful. You need to act in the spirit and letter of the law, when processing personal data. This includes obtaining consent from clients and customers, as these are the ones who own the personal data.

2. ‘Purpose limitation’

You can only collect personal data for specific purposes. And it’s important that you inform your clients, that you’re doing this. This also entails that you only use personal data in the context the client has consented to.

3. ‘Data minimisation’

‘Need to have’ is central to data minimisation. Fundamentally, you can only collect the exact personal data needed to complete your expressed goal or purpose.

4. ‘Accuracy’

Ensuring the accuracy of the personal information is an on-going process. For that reason you need to update the data, concurrently. Furthermore, you need to correct or delete data that is inaccurate or unusable for the specific purpose it’s needed for.

5. ‘Storage limitation’

You can only store personal data as long as necessary. Therefore you need to continuously ask yourself: do we still have a purpose for storing this data? It can be a good idea to have a half-yearly or yearly event where you evaluate your stored data.

6. ‘Integrity and confidentiality’

The integrity of the data needs to be maintained. That means ensuring the data’s accuracy and credibility over time.

Simultaneously, you need to process and handle the data with great care and confidence. You can’t allow anyone to gain access to the data. That applies to people outside your organization (for example, hackers), but also people from within (for example, colleagues).

To ensure this, you need sufficient and adequate security measures. The level of security can vary from business to business. As mentioned previously, both technical and organizational security are two methods for protecting the data.

If you have a handle on the six principles, you’ve come a long way towards processing personal data correctly. And it pays off to work within the rules. Violations of the GDPR can result in fines and penalties.

Enforcement Tracker can give you an overview of fines and penalties for violating GDPR in the EU and EEA.

What can be done in the process of securing personal data?

Data can be protected in different ways and therefore, as such, there is no manual on how exactly to do it. However, some methods may be better than others.

You can achieve optimal protection of personal data through good design and good default settings.

A good data protection design allows your company to take data security into account early in the process when planning new ways of processing personal data. Here, the controller can and should take all the necessary technical and organizational decisions to implement data protection principles and protect the rights of individuals. This may include, for example, the use of pseudonymization.

Data protection with good default settings includes ensuring that the company always has the highest data protection setting as the default setting. For example, should there be two different privacy settings available and one of the settings ensures that the personal data cannot be accessed by others, this setting should be the default setting.

What is personal data? Ownership, processing and security

Everything you need to know about personal data