One of the major struggles for organizations who must comply with the European Union’s new “General Data Protection Regulation” (GDPR) by May 2018 is that ‘personal data’ is much broader under GDPR than US regulations. “No other privacy law in the world matches its breadth and scope.” says Washington, D.C.-based attorney Bret Cohen, a partner with Hogan Lovells US LLP.
So before we can even consider the specific requirements and how to comply, we must discern what data falls under the protections of GDPR.
First item of note is the instruction that personal data is, “any information relating to an identified or identifiable natural person”, both ‘direct’ and ‘indirect’ identification. Direct Identification is pretty straightforward – you know my name and some other piece of data. Indirect would be that you know me by description, ‘the GRC lead for Foresite’ and some other piece of data.
Next, the regulation states that identification can be by means of “an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity“. This includes online identifiers and location data – meaning that the legal definition of personal data now puts beyond any doubt that IP addresses, mobile device IDs and so forth would be included.
Probably the most widely discussed concerns of this definition is email addresses. According to GDPR, you cannot derive email addresses because you must have consent. And by GDPR standards consent is not clicking ‘I agree’ at the bottom of a EULA. The citizen needs to consent to any use of that email address, so data derivatives must be spelled out in detail for the citizen to confirm consent.
GDPR contains a separate category of “special” personal data (more commonly referred to as “sensitive personal data”) defined as “data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and health or sex life”. Data relating to criminal offenses is also afforded special protection. Personal data also refers to specific definitions of “genetic data” (e.g. an individual’s gene sequence) and “biometric data” (i.e. fingerprints, facial recognition, retinal scans etc.).
Pseudonymous data, personal data that has been subjected to technological measures (like hashing or encryption) so that it no longer directly identifies an individual without the use of additional information is also protected. Unlike some standards where encrypted data is out of scope under certain circumstances, it is not out of scope in GDPR, although it may relax some of the regulation, it does not exclude the information.
All these various types of data need to be identified and considered prior to being able to continue on with complying with GDPR. This is critical to plan for, as the penalties begin at 20 million euros or 4% of annual global revenue whichever is LARGER!