What exactly is ‘personal data’?
Before you can investigate “what is personal data” for your business uses, you first need to understand what the definitions of ‘personal data’ are under the new legislation.
Under GDPR, Personal data is defined as any kind of data that can be used to identify a natural (living) person, known as a ‘data subject’.
This means anyone who can be identified directly, or indirectly, by:
- A name, including a social media handle or identity
- An identification number
- Location data including GPS or IP address
- Physical or behavioural identifiers
- Genetic information
- Information relating to a person’s mental state
- Economic information
- Cultural details or information
Special category data
Additionally, sensitive personal data, known as ‘special categories’ includes information that could reveal:
- A person’s age
- Their gender
- Racial or ethnic origin
- Political opinions or affiliations
- Religious or philosophical beliefs
- Trade union membership
- Biometric data
- Health information and records
- Anything about a person’s sex life or sexual orientation
Who has my personal data?
As a customer of other businesses, you have likely given your details to more companies than you can remember.
As a member of modern society you have handed your details over to banks, landlords, utility companies, gyms and doctor’s surgeries.
As a UK citizen, your personal details are known to the government who hold tax and healthcare records on you.
The list goes on.
Why Public Domain doesn’t matter
People share a lot of personal information publicly, either posting it online, or perhaps by the way they dress or behave.
We don’t always mean to share so much. Often, we assume it’s private, or only visible to a few, such as family or friends. We usually don’t think of the consequences, that our personal information may be abused in some way, or that it may lead to a risk or loss.
Some people argue that, because personal information may exist in the ‘public domain’ it is exempt from data protection laws, that companies can do what they like with it.
This is not strictly true – the purpose of using personal information that’s publicly accessible has to be for the same, or similar, purpose that it was put out there by the person whose data it is.
As an example, if you share your birthday on Facebook so friends and family can wish you many happy returns, anyone acquiring that information from that source can only use it for the same or similar reason that you put it out there in the first place.
A business can’t use personal data that they gather from public sources for reasons that differ from the reasons that information was listed. It matters how and why a business uses the information they find publicly, regardless of its public existence.
I don’t process personal data in my business
Sure you do.
Think about it – as a business owner you probably have a lot of personal data on people at other businesses, as well as customer information, employee details, sales leads who you would like to be customers, suppliers to your own company.
No one operates a business in a bubble these days, devoid of any contact with personal data. Technology is far too embedded in modern life, and the law applies to paperwork too, not just online or digital information.
Safe and sound?
So, are you keeping all of this information safe? Do you regularly review and update your security and privacy processes?
That filing cabinet full of folders and paperwork in the corner of your office – when did you last go through it to shred old paperwork? Do you use a data removal and destruction service? Are you hoarding box files full of old invoices? How about the rolodex full of business cards on your desk?
For all of the personal data that flows through your business, you have an obligation to keep it safe and secure, and to use it only in accordance to the reasons it was given to you in the first place.
Smaller businesses tend to outsource a lot more of their processes than they realise, so you will also need to think carefully about who you may be sharing personal data with.
Do you use couriers and delivery services to send products to your customers? Do you use software to email marketing material? Do you outsource your payroll or accounts? Do you store your client details in a CRM? Do your company mobile devices contain business contacts and their details? Are they secured with any kind of encryption? Who hosts your web server, and where are they based?
Need a helping hand?
This can seem like a lot to consider – and you would be right to feel a little daunted. However, inaction is a risky business, and we are fairly certain that most sole traders and small businesses are pretty risk averse, especially when it comes to abiding by the law.
That’s why Sphere Data Protection have put together toolkits for SMEs to prepare for complying with the new data protection legislation. Contact firstname.lastname@example.org or call on 01442 345398 or 07534 410099 for more information.