Scope of GDPR
The GDPR will apply to the processing of personal data, as under the current Data Protection Acts. The new definition* of personal data, however, specifically includes information such as ID numbers and IP addresses that can be used to identify a person online. In practice, any data about a living person who can be identified from the data available (or potentially available) will count as personal data. This will include reversibly anonymised (‘pseudonymised’) data i.e. replacing any identifying characteristics of data with a value which does not allow the data subject to be directly identified (pseudonym). Where a pseudonym is used, it is often possible to identify the data subject by analysing the underlying or related data.
Stronger safeguards and requirements will be required for sensitive personal data (referred to as ‘special categories of data’ under the GDPR). This refers to data falling under the following categories (the last two of which are not included in the current Acts):
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Data concerning health
- Data concerning a person’s sex life or sexual orientation
- Genetic data
- Biometric data
Personal data falling under these categories can be processed only under specific circumstances, which are described in Article 9(2) of the GDPR.
Personal data relating to criminal convictions and offences are not included as special categories of data, but there are similar extra safeguards applied to processing them.
*Personal data is defined as:
“any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular in reference to an identifier such as name, an identification number location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.