There are several different types of data covered in the EU GDPR directive – so what are they, and what do they mean for small businesses?
What GDPR Protects
GDPR is going to protect ‘personal data’. That doesn’t necessarily mean that all data you hold on your customers and clients is classified as sensitive under the new regulations. The ‘personal data’ is anything that could be used to identify an individual.
Previous directives, such as the Data Protection Directive 95/46/EC, are now outdated. This is because the rules on ‘personal data’ as an identifier used to leave a grey area around some types of data, such as IP addresses. The GDPR is set to change that, with all types of identifiable data now coming under GDPR rules.
Personal Data With Unique Identifiers
The new updates in GDPR mean any identifiable information relating to an individual is now sensitive data. It must be treated fairly, lawfully, and with due diligence to security.
This data now includes: IP addresses, location data, online identifiers, online behavioural identifiers that could be traced to an individual, and mobile device IDs.
What does this mean for your business?
Well, you may be using this information without really knowing it. For example, if you use Facebook pixels for your digital marketing, you’re tracking your customers’ behaviour. If you also hold other information on these users, such as their location and IP address, you could trace usage back to an individual.
This means you need to protect data collected in this way in the same way you would if someone gave you their bank details.
What Is Pseudonymous Data?
The introduction of pseudonymous data comes into effect with GDPR, and it means any identifiable data which has had encryption or has been stripped of those specific identifiers.
This is still a type of personal data, and is under personal data protection laws. However, the way you can use this data is less rigid. For example, you could use pseudonymous data to analyse your customer buying trends, without using any particular identifiers leading back to a single customer.
GDPR And The Risk Of Harm
When trying to understand whether you’re using personal data or pseudonymous data, there’s a quick and easy rule to apply.
Imagine that somebody managed to hack into this data file: what is the level of harm that could be used?
Any data that would lead to an individual being identified and at risk, such as the stealing of financial information, falls under ‘personal data’/
Any data that would not create a risk of harm, such as an anonymous customer profile with nothing that could be linked to an individual, is pseudonymous data.
GDPR And Sensitive Personal Data
There is one final batch of data that you must consider, as it has a serious impact on any business using genetic and biometric data.
This type of data is classified under GDPR as ‘sensitive personal data’, and with it come further restrictions.
Customers or clients must give explicit consent when this type of data is to be processed. It cannot be handled without consent. Where large volumes of this type of data are handled, an impact assessment must be carried out beforehand. Potential risks must be identified and relevant measures to ensure protection and compliance must be put into place.
*This email master class/ blog series has been prepared by instantprint as a condensed summary of GDPR and not as a full comprehensive review. We advise all readers to undertake their own further reading and research into GDPR, including a review of the GDPR guidance set out on the Information Commissioner’s Office’s website.