In comparison to the existing European Data Protection Directives, under the European Union’s new General Data Protection regulation, the definition of personal data has been modified and simplified. Whereas the definition of sensitive personal data has been retained and extended to additionally cover genetic data and biometric data.
Additionally, there are some changes to the conditions for processing both personal data and sensitive personal data.
What are the differences?
Under the UK Data Protection Act 1998, Personal data is data which relates to a living individual who can be identified either directly from that data or indirectly from that data and other information which is in the possession of, or is likely to come into the possession of, the data processor. This includes any expression of opinion about the individual and any indication of the intentions of the data processor or any other person in respect of the individual.
Under GDPR this is changed and simplified to be any information relating to an identified or identifiable natural person.
While the definition appears to have been simplified, it is made more detailed by reference to a series of identifiers including name, address, online identifiers including an IP address, email address, etc. and location data (e.g. GPS coordinates.)
The definition under the DPA for Sensitive Personal Data consists of information including the racial or ethnic origin of the data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, whether he is a member of a trade union, his physical or mental health or condition, his sex life, the commission or alleged commission by him of any offence; or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Under the GDPR this definition of Sensitive Personal data is extended to include genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Information about criminal convictions is now treated separately and subject to even tighter controls.
Conditions for Processing
In addition to complying with all six data protection principles, when processing personal data, you must also satisfy at least one processing condition. If you are processing sensitive personal data, at least one sensitive personal data processing condition must also be satisfied.
The grounds for processing personal data under GDPR are broadly similar those for processing personal ata under the DPA. The processing of personal data will be unlawful if you do not satisfy at least one of the following conditions:
- You must have the consent of the data subject.This is essentially the same as under the DPA but GDPR has a narrower view of what constitutes consent.
- The processing must be necessary for the performance of a contract with the data subject or to take steps in preparation for such a contract.
- The processing must be necessary for compliance with a legal obligation of a Member State or EU law to which you are subject.
- Processing the data is necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent. This is probably only applicable in medical emergencies where there are no other grounds available.
- The processing must be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in you under Member State or EU law.
- The processing is necessary for the purposes of legitimate interests(this condition cannot be relied on by public authorities.)
The grounds for processing sensitive data under the GDPR must satisfy at least one of the following conditions:
- You must have the explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law.
- Processing must be necessary for the carrying out your obligations under employment, social security or social protection law, or a collective agreement.
- The processing must be necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent.
- Processing can only be carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.
- The processing must be necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial.
- The processing must be necessary for reasons of substantial public interest based on Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures.
- The processing must be necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.
- The processing must be necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices.
- The processing must be necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).
What is the impact for companies?
The requirements under GDPR are essentially very like the existing DPA legislation. However, it will become much harder to process information about criminal records.
What actions should you be taking?
We suggest you:
- Review existing data you collect and process. You should be identifying whether you collect and processes data that falls under the expanded definitions in GDPR.
- Review the conditions under which you process both personal and sensitive personal data. If you rely entirely on consent from the data subject, the consent mechanisms used should be reviewed to ensure they were freely given positive opt-in consents and that you are able to stop processing immediately consent is withdrawn.
- Identify whether your conditions for processing impact individuals’ rights granted by GDPR.
- If you process substantial amounts of genetic, biometric or health data, you should also pay particular attention to national developments as Member States have a right to impose further conditions on the grounds set out in the GDPR.
If GDPR is worrying you or if you simply are not sure how GDPR might affect your business, we are here to help. We are happy to set up a short, no obligation call to help you understand the implications of GDPR on you and your business.