In the blog series "The 7 biggest misunderstandings about the GDPR" we settle the 7 most frequently heard misunderstandings. One of the key concepts in the General Data Protection Regulation (GDPR) is ‘personal data’. There are often misunderstandings about this concept. It is not only about names, but also about privacy-sensitive information. In this blog we explain what a personal data is.
Do we still know him? Bill of the classic children’s game 'Who is it?'. The game is played with two players. Each player has a game board with 24 pictures of portraits of people which can be folded down. The people on the ticket have different characteristics. There are several versions of each feature on the board (for example a couple of people with glasses, a pair with red hair, some with a moustache, etc.), but in the end all pictures are unique. Below the portraits is the name of the person. Each player keeps a person's card, which is also on the folding board. The aim is to find out the identity of the person on your opponent's ticket. This is done by asking closed questions about the character ("Is your character bald, does your character have glasses," etc.)? As a child we hadn't got it yet; but what we did here was combining personal data to identify someone! (Man + bald + red goatee = Bill)
It is a misunderstanding that personal data only concerns names or only sensitive information. 'Personal data' is a very broad concept. Many of the answers to the closed questions that we ask each other in 'Who is it?' is personal data (gender, presence/absence of hair, hair colour, color eyes, eye aberration (glasses?)). After all, by combining this information we can identify a person. In the game, however, we mainly use the external characteristics of people. The concept of personal data includes many more data, namely, as defined by the GDPR: all information about an identified or identifiable natural person.
In determining whether a natural person is' identifiable', account should be taken of all reasonable means available to the controller or another person to directly or indirectly identify the natural person.A piece of information can help to identify someone directly, for example a person's first and last name; or a piece of information can help to identify someone indirectly, for example a membership number of a sports club. It is not required that the controller can effectively identify the data subject with the information. The fact that someone else can do this means that the information is regarded as personal data. Example: a membership number of a sports club. Not everyone can identify a person with this number. This requires more information posessed by the association: which membership number belongs to which name? This information is not accessible to everyone. However, the fact that someone else (a member of the sports association) does have access to this database - and can make the link between membership number and name - means that a membership number is a personal data.
To identify someone it is not necessary to have his or her name. A person can also be identified by, for example, the combination of his or her location and another personal characteristic ("the oldest man of the village"), or by other features such as external, social or cultural characteristics and whether or not belonging to a certain group ("that boy of the hockey club with purple hair").
In order to determine whether someone is identifiable, it is considered whether identification is reasonably possible for the controller or another person. It is then considered which means could reasonably be used. To determine what constitutes 'reasonable means', all kinds of factors need to be considered, such as the cost, the amount of time needed for identification, the available technology at the moment of identification, but also future technological developments.
The GDPR does not apply to anonymised data. Anonymisation is the process by which personal data are rendered unusable for identification purposes; the data are therefore no longer personal data and therefore the GDPR does not apply. Anonymisation requires more than just omitting names or contact details from a dataset; 'customer 33' or 'student s84969623' are still personal data. First, anonymous data can be obtained by aggregation. This is merging data into information such as: the average patient with disease X is between 60 and 70 years old. Another method is randomisation. In this case, certain information in a dataset is replaced by random information. For example, within a group of participants in an investigation, the year of birth and the place of residence can be changed randomly. If the age is relevant for the study, the group of participants can be divided into different age categories. Then the age of a participant can be replaced by the age of someone else from the same age category. This allows you to make a statement about the group of participants in a certain age category, but not at an individual level. If you look at an individual case, the identity of the participant is no longer easy to trace based on his age. Pseudonymised data exists as well besides personal data and anonymous data. This second topic will be dealt with next. We will also discuss the following subjects:
Do you want clarity about what the GDPR exactly means for your organisation? Then keep an eye on our blog page in the coming weeks and read/learn how you can solve these misunderstandings about the GDPR.