GDPR data – Compliance with the GDPR regulation
All firms hold personal data to a lesser or greater extent, so your firm does as well. As a result you have to make sure your firm is compliant with the GDPR regulation.
Any data relating to an identifiable person is personal data
Obvious examples are names of individuals as you might hold on your customers (or their representatives) or staff. Do note that any data that directly or indirectly could identify an individual is also considered personal data. So email addresses, postal addresses or other location data (e.g. GPS coordinates) on individuals are also personal data. Identifiers of various kind e.g. passport numbers, dossier numbers, client numbers etc. are for that reason also personal data.
GDPR considers any data that relates to an identifiable individual to be personal data.
Some of that data it has classified as special category data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, medical data or information about a person’s sex life and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person. Special category data is subject more stringent security and privacy rules, which are captured as part of Art. 9 in the GDPR text. Most medical professions are likely to hold special category data, and so do insurance firm in the medical space for example.
A key GDPR requirement is to minimise any data being processed, so especially in the case of special category data, always reflect if you really require that data to fulfil your business objective / purpose.
