In my previous post A Privacy Regulation Applying in the USA and Canada (and Elsewhere), I alluded to the worldwide impact of the General Data Protection Regulation (GDPR)*. In this post, I like to clarify** the GDPR’s definitional scope of personal data.
The GDPR considers data to be personal if they relate to an identified or identifiable natural person (“data subject”). Although the term “identifiable” tends to consume all the attention here, actually the term “relate” carries more weight as it widens the definition in a way that it resonates with common sense.
So while e.g. a Social Security Number, International Bank Account Number (IBAN) or passport number uniquely identify an individual and are therefore unquestionably personal data, the GDPR includes as well non-identifying attributes such as weight (at a given point in time), height or eye color to be personal data if they can be assigned to an identifiable individual.
But the term “relate” even pertains to more than a natural person’s attributes. A prominent example is a civic address register which certainly is public and does in no way constitute personal data in and by itself. However, if a register entry, e.g. “123 Main Street, Newcastle, Fantasyland”, relates to an individual “Jane Doe” whereas the relationship is “is residential address of”, that entry, by common sense and GDPR, becomes part of Jane Doe’s personal data.
You will find a more complete approach in my post GDPR & Personal Data - Context is Key and (Foreign) Key is Context underscoring that data modeling is a mandatory discipline in any medium or large organization being in need to get their head around personal data.
* Official publication of GDPR at https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1528874672298&uri=CELEX%3A32016R0679
** Legal disclaimer: This blog post is not intended to be legal advice, but to raise awareness that it is recommended to consult a lawyer.