In my
previous post A Privacy Regulation Applying in the USA and Canada (and Elsewhere),
I alluded to the worldwide impact of the General Data
Protection Regulation (GDPR)*. In this post, I like to clarify** the
GDPR’s definitional scope of personal data.
The GDPR considers data to be personal if they relate to an
identified or identifiable natural person (“data subject”). Although the
term “identifiable” tends to consume all the attention here, actually the term
“relate” carries more weight as it widens the definition in a way that it
resonates with common sense.
So while e.g. a Social Security Number, International Bank Account Number
(IBAN) or passport number uniquely identify an individual and are therefore
unquestionably personal data, the GDPR includes as well non-identifying
attributes such as weight (at a given point in time), height or eye color to be
personal data if they can be assigned to an identifiable individual.
But the term “relate” even pertains to more than a natural person’s
attributes. A prominent example is a civic address register which certainly is
public and does in no way constitute personal data in and by itself. However, if
a register entry, e.g. “123 Main Street, Newcastle, Fantasyland”, relates to an
individual “Jane Doe” whereas the relationship is “is residential address of”,
that entry, by common sense and GDPR, becomes part of Jane Doe’s
personal data.
You will find a more complete approach in my post GDPR & Personal Data - Context is Key and (Foreign) Key is Context underscoring
that data modeling is a mandatory discipline in any medium or large
organization being in need to get their head around personal data.
* Official publication of GDPR at https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1528874672298&uri=CELEX%3A32016R0679
** Legal disclaimer: This blog post is not intended to be legal advice, but to
raise awareness that it is recommended to consult a
lawyer.
