We are now almost two years on from the introduction of GDPR. During the first year of enforcement, the Information Commissioners Office (ICO) were quite lenient in their enforcement of the regulation, giving businesses the extra time they needed to adapt to the tightening regulations. However, since that 12 month honeymoon period ended the ICO have begun to double down on their efforts to enforce the regulations, showing that now the adjustment period is over, anyone found in breach of the regulations will face severe punishment.
For the first couple of years the exact requirements of GDPR were quite murky and many businesses were unaware of the extra requirements. Thankfully, almost two years down the line there is a lot more clarity and this short guide aims to clear up some of the misconceptions surrounding GDPR requirements.
GDPR defines two categories of personal data:
Personal data: Referred to as Personally Identifiable Information (PII). This includes any information which can be used to directly identify an individual. Examples of PII include; name, personal email and national insurance number.
Sensitive Personal Data: This includes sensitive information about an individual including; sexuality, political or religious beliefs and medical history.
In addition to misinterpretations about the definitions of personal data there are also a couple of other misconceptions surrounding personal data which need to be addressed.
Myth: Pseudonymised information is not considered PII
Reality: GDPR considers pseudonymised information as personal data. Some organisations attempt to anonymise their data by replacing personal information with code, for example ‘CLIENT 001’ as a replacement for a customer name. However, as this is an identifier for an individual, there is a chance that if the data was obtained by malicious actors they would be able to link the anonymised information back to the individual.
Myth: Consent is straightforward
Reality: Strict guidelines exist under GDPR around what is considered consent. Under the terms of GDPR, consent given by an individual to process their personal data cannot be implied and must be explicit. They must clearly agree to the processing of their information and demonstrate their approval.
Myth: IP addresses aren’t considered personal data
Reality: GDPR classifies IP addresses as PII even though many users “share” a single IP address and IP addresses are often overlooked as PII by organisations. IP addresses are classed as PII under GDPR and if you collect them for any purpose it is important you protect them in the same way you would protect other PII.
Those are just some of the more common misconceptions about what constitutes PII under the GDPR regulations. If you require more information or would like to speak to us about your GDPR requirements, please get in touch to speak to one of our specialists.
© Financechain Limited trading as SES and ses-escrow.co.uk, 2019. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Financechain Limited trading as SES and ses-escrow.co.uk, with appropriate and specific direction to the original content.