The Government’s proposed data reforms – under the Data Protection & Digital Information (No. 2) Bill – are due to be rubber-stamped by MPs this week and will have huge consequences for the marketing industry, but, as ever, many businesses are in the dark about what the overhaul means for them and their operations.
In the first of our series, we explained what businesses need to consider when processing data under DPDI. This week, Decision Marketing has once again joined forces with Sagacity to dig deeper into how personal data is defined.
Current definitions
The definition of personal data can be seen as very broad ranging under the current UK GDPR, i.e., any information relating to an identified or identifiable natural person or – as many would describe it – ‘individual’-level data.
Personal data should be defined by an organisation as to whether an individual can be identified – whether that’s directly or indirectly – and/or can the data be matched with other sources of information to identify someone.
In most circumstances, it should be relatively straightforward to determine whether the information your organisation processes ‘relates to’ an ‘identified’ or an ‘identifiable’ individual. If unclear, organisations need to carefully consider the information they hold to determine whether it is personal data and whether the UK GDPR applies.
Some categories of data are known as special categories of data and are much more sensitive in nature, such as race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where this is used for identification purposes), health data, sex life, or sexual orientation. Special category data should always be processed under consent if it can identify or is attached to a living individual.
Living individuals
The DPDI Bill uses this basic definition, but amends ‘personal data’ to refer to ‘living individuals’, rather than natural persons, and to explain what is meant by ‘identified’ and ‘identifiable’. It is proposed an individual would only be ‘identifiable’ if the means to identify them are available to the controller, the processor or by others likely to receive the data.
It further clarifies when data is related to an identified or identifiable individual and when it should be considered anonymous. An ‘identifiable living individual’ is an individual who would only be identifiable by a person other than the controller and/or processor if that other person will, or is likely to, obtain the information as a result of the processing. If they are not likely to obtain the information, then it should be considered anonymous.
The implications
What these changes should help with is the reduction of uncertainty as to when data is anonymised in a manner which is likely to benefit the controller. It’s worth noting that, while this could prove a welcome step for some organisations, it will still be necessary for them to justify, risk access, and balance why they consider certain data could not reveal an ‘identifiable living individual’.
Andy Bridges is data governance officer at Sagacity Solutions
