What the General Data Protection Regulation requires?
- Personal data and unique identifiers: The GDPR makes clear that the concept of personal data includes online identifiers and location data – meaning that the legal definition of personal data now puts beyond any doubt that IP addresses, mobile device IDs and the like are all personal and must be protected accordingly. This means that these types of data will now be subject to fairness, lawfulness, security, data export and other data protection requirements just like every other type of ‘ordinary’ personal data.
- Pseudonymous data: The GDPR introduces a new concept of “pseudonymous data” – in simple terms, personal data that has been subjected to technological measures (like hashing or encryption) such that it no longer directly identifies an individual without the use of additional information. Pseudonymous data is still considered a type of personal data and so is subject to the requirements of the GDPR. On the plus side though, organizations that pseudonymize their data will benefit from relaxations of certain provisions of the GDPR, in particular with respect to data breach notification requirements (because loss of pseudonymised data is unlikely to create risk of harm – Arts 33 and 34), possible exemption from the need to comply with data subject access, correction, erasure and data portability requests (Art 11), and greater flexibility to conduct data profiling without data subject consent (since processing of pseudonymised data is unlikely to ‘significantly affect’ a data subject – Art 22). The GDPR also encourages pseudonymization in the interests of enhancing security and as a privacy by design measure. Put simply, organizations will have very strong incentives to employ data pseudonymisation technologies under the GDPR to mitigate their compliance obligations and manage their risks.
- Genetic data and biometric data: The GDPR introduces specific definitions of “genetic data” (e.g. an individual’s gene sequence) and “biometric data” (i.e. fingerprints, facial recognition, retinal scans etc.). Genetic data and biometric data are both treated as sensitive personal data under the GDPR, affording them enhanced protections and generally necessitating individuals’ explicit consent where these data are to be processed. Large scale processing of genetic data and biometric data (and, indeed, any other category of sensitive personal data) will trigger a requirement for controllers to undertake a data protection impact assessment to identify potential risks involved in processing this data and measures taken to ensure compliance.