Frustrated man

Identifying personal data

Top 3 data protection program issues and how to start resolving them: #17

It's a fundamental task for any data protection professional.

The concept of ‘personal data’ is very broad, and the broadness is often not appreciated.

I personally prefer to use the term ‘data about people.’

Your compliance journey will be a rocky one if this key definition is not understood.

With a client a couple of years back, we discovered a quality issue with DPIAs.

We could see from documentation shared with us that the people tasked with performing the assessments did not grasp the broadness of ‘personal data’ in their processing context.

A common root cause of this lack of understanding is the #1 issue:

#1 Generic education

The definition mentioned in the graphic needs to be broken down and in the old WP29’s document from 2007, there’s a useful 4-step model with examples that will help facilitate the process.

The document is a good starting point, but further analysis is required.

There could be a time element involved. One minute, an item is non-personal data, and then an event occurs and the item becomes personal data.

For example, a list of IMEI numbers for a batch of new, unboxed smart phones becomes personal data once the devices are allocated to employees.

Education needs to cover the processing context.

There’ll be different contexts depending on whether it’s HR, Finance or hyper personalisation, for example.

#2 Classification of personal data

Here, we’re far from those common examples often shown in generic education: name, email, bank details, dob, etc.

Categorising personal data based on origin also throws up some interesting challenges, especially from a risk perspective.

The risks may be associated with a lack of transparency of unexpected consequences of processing.

A document was published by the IAF almost 10 years ago that covers personal data that is provided, observed, derived or inferred.

Worth a read!

#3 Unaware of proxy data

Closely related to #2 but slightly different IMHO are supposedly personal data that are proxies for sensitive categories like gender, religion, ethnicity, political views, etc.

It could be an earring, a tattoo, a headscarf.

It could be somebody's first name.

The recent CJEU case from Lithuania and the Grindr case from Norway are good examples, and some companies hastily needed to re-evaluate their classification schemes.

Depending upon your processing context, proxy data could be a significant issue you need to be aware of and address.

Purpose and Means help Data Protection Leaders refresh their work focusing on business alignment and orchestration.

We’re based in Denmark, but operate globally.

If this issue resonates, book a call to discuss your requirements!

Petruta Pirvan
Tim Clements
February 24, 2023


Other posts

June 2, 2023
Disseminating policies
Tim Clements
May 27, 2023
Ineffective controls
Tim Clements
May 26, 2023
DPIA on a page
Tim Clements
May 25, 2023
GDPR on a page
Tim Clements
May 22, 2023
GDPR 5 years old - is it really?
Tim Clements
May 9, 2023
Employee engagement
Tim Clements
May 2, 2023
Managing risk
Tim Clements
April 13, 2023
Copy/paste consultancies
Tim Clements
April 6, 2023
Controller/Processor life-cycle
Tim Clements
March 30, 2023
Responding to an audit
Tim Clements
March 23, 2023
Data protection templates
Tim Clements
March 11, 2023
Data protection program control
Tim Clements
March 6, 2023
Reporting data protection status
Tim Clements
March 2, 2023
The lone data protection army
Tim Clements