According to the new General Data Protection Regulation, going live on May 25th 2018, (GDPR), ‘personal data‘ means “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”.
In reality, this means anything that can be used to build up a picture of someone either
- directly: for example your home address in a database of addresses,
- or indirectly: ie by working with other data to discover things – so a council tax reference number: combined with your name will lead to your address as well.
Look at it backwards – if it could be used to help someone commit identity theft (even if they must cross-reference the data somewhere else), then chances are, it’s personal.
A worked example always helps…
Let’s say that the XYZ company, has a record of you including your town of birth. They ask you this when you phone up for a password reset to ‘prove’ you are who you say you are .
An employee downloads your record (along with others) into an unencrypted spreadsheet, and puts it on an unencrypted USB stick. They’re not malicious, they just want to do some ’sorting out at home’. But they stop off for a few beers, and leave the stick in the pub.
Someone unknown picks it up, and now your data, including that ‘special’ bit of data that is used to demonstrate that you are you, goes missing.
Combined with other info that might be on the stick – name, date of birth, account number, it might be enough to convince the XYZ company that it is you – phoning up to say you’ve lost your password. Which their ever so helpful people on the service desk – well, they’ve checked it’s really you haven’t they?: you’ve confirmed your date of birth and where you were born – go ahead and reset.
So the criminal mastermind doesn’t change your bank account details, but they do change where the goods are to be delivered – and suddenly you get the bill for kit that’s disappeared off the face of the earth. And not only that, but now they’ve got a reference that they can use for the ABC company next door to open another account in your name.
You’d be pretty upset with the company that let your data out in the first place.
OK: realistically we all know there’s easier and quicker ways to find out information about you: be honest, you’ve probably put most of it in your public Facebook account.
But that’s not the point. It isn’t up to the XYZ company to release what they know about you, to anyone, anywhere.
It’s “personal data”: data that can help identify you.
More importantly it’s your data (not theirs), that you’ve given to them so you can do business with them. And they’ve got a duty to keep it safe.
And that’s what GDPR is about: Your data; Your rights; Your privacy. Their Duty.
 They could have pseudonymised it; they could have encrypted it; could put in dual factor authentication – but clearly if they let employees walk off with personal data, they’re really not thinking this through anyway. So it will do as an example.