What is 'personal data'? IT leaders debate the GDPR definition

The GDPR's definition of 'personal data' is so broad that it is causing concern across the IT industry

Last week, Computing held an IT Leaders' Forum, attended by CIOs from a variety of industries, to discuss all aspects of the GDPR. Despite being less than a year away from full implementation, concerns about the new rules are still widespread; from definitions to specific queries about where and how the legislation will be enforced.

One point that was brought up several times throughout the night was the extreme broadness of the term ‘personal data'. Ironically, the GDPR talks about personal data so specifically that it makes the term extremely vague.

The existing EU Data Protection Directive defines personal data as 'any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.' Under the GDPR, that definition will expand to 'any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person' (emphasis ours).

The first legal cases will define what is and is not personal data

One attendee pointed out that, under these terms, any leak could potentially be considered a compromise of personal data: from minutes of a meeting to IP addresses. Another said that the definition "is like a puzzle and a flow chart which is actually a diagram - it's totally vague, and the first legal cases will define what is and is not personal data."

Initial rulings by the ICO will be key in informing companies about the lengths that they have to go to when it comes to compliance. The shared feeling was that organisations who have acted reasonably - showing that they have done their best to delete as much data as possible - will be treated reasonably (our recent GDPR event in Manchester confirmed this).

One attendee advised, "Start with the deletion of low-hanging fruit: candidates' CVs, not all of the emails you've sent to them. Have a process that you can show to the ICO, because there is no chance of one hundred per cent coverage." In other words, it is about what is achievable versus what is enforceable.

Another tricky situation arises when it comes to the ‘business case' for retaining data. With a valid case, you can dispute the need for deletion - but what makes a valid case? If a company has your CV and has never used it, but think that it might have a use in the future - is that valid? One source working at an NGO argued, "A business case isn't enough - it has to be a legislative case."

At the forefront of anything we do, it has to be about awareness and training

As the discussion worked toward a close, research by Computing was shared that showed that most companies are (still!) at a general level of unpreparedness. One CIO said that his major concern was awareness:

"People are the biggest problem - you have to get the business and the users to understand what personal data is and what they have permission to do with it, where they store it and why they need to be concerned about it. At the forefront of anything we do, it has to be about awareness and training."

The reply, of course, was, "How do we educate our own staff when we don't even know where the line's drawn?" It was felt that getting employees to stop and think before collecting and storing data is "the first battle."

All attendees agreed that there will always be high-risk employees in every organisation - and they often work at the C-level!

Computing regularly holds events for senior IT decision makers, discussing the important issues facing us today. For details about upcoming events, visit the IT Leaders' Forum website.