One year (or thereabouts) since the implementation of the GDPR across the EU, it’s worth taking stock of what is covered and what constitutes personal data under the legislation.
What Is Personal Data?
Broadly speaking, personal data is any information from which a living individual can be identified. A person’s name, workplace and address are obvious examples, because these allow direct identification. Data that allows an individual to be identified indirectly is also personal data, even if the person is not named.
Examples may include:
- Telephone numbers
- Email addresses
- Date of birth
- Information relating to personal history – place of birth, marriage, university etc
- Social media accounts
- Banking and financial information
The important factor that makes this data personal is that it can be used to identify a specific named individual. So an address in itself is not personal data, but it is in so far as you can deduce from it that Sam Smith lives there.
This makes the field of personal data at the same time extremely broad and also ambiguous. On its own even a person’s name may not class as personal data, because there is more than one Sam Smith. But when the name is connected to a phone number, email address or national insurance number, a specific individual is implied and the information must be treated as personal data.
By the same logic, even impersonal descriptions such as eye, hair and skin colour, height or shoe size may be deemed to be personal data if it leads to an individual being identified indirectly. Using an example from real life, we may not know the names of many people who live on our street, but we can still identify quite a few of them by reference to their home address, relationship status, nationality, physical description, approximate age, gender, the car they drive, and number of children - right down to the shops they use and the gym they attend.
Clearly, businesses need to be very diligent when recording information about people, as personal data has to be handled very carefully indeed.
Within the field of personal data, some information is considered especially sensitive. This includes information about an individual’s;
- Political affiliation
- Sexual orientation
- Racial background
- Criminal record
- Medical history
- And so on…
Personal data and consent
It is hard to avoid collecting and handling personal data as an organisation. Businesses routinely store personal information about employees, and often about customers and suppliers – especially B2C businesses. It is legitimate for an organisation to hold personal data, as long as they acquire consent to do so. (Business data – e.g. a list of company names and generic email addresses – is not personal, but it becomes so when data links named individuals to a certain company.)
According to the GDPR and other data protection legislation, consent must be explicit, and the data must be held for a specific purpose only, and deleted when that purpose is served.
Data Security & IT Asset Disposal
It is the legal responsibility of the organisation holding the data (the data controller) to safeguard the identity and privacy of individuals on whom they hold personal data. This is why secure IT asset disposal is so important. Company laptops, smart phones and USB pens contain thousands of megabytes of personal data of all shades and shapes.
The consequences of this data falling into the wrong hands can be dire for the individuals concerned and for the businesses that hold responsibility for that data! The GDPR stipulates some stiff fines and legal penalties for lax data security, which includes entrusting personal data on old IT assets to an unreliable third party. It is still your responsibility if a breach happens, not theirs.
This is where ADISA companies can provide you with reassurance in GDPR; their accreditation provides a guarantee that you aren’t handing your data over to an unmonitored and unregulated waste disposal company.
With personal identity security and organisational reputation at stake, we don’t recommend businesses take any risks. There are simply too many ‘what ifs’ when using a free recycling service, or non-ADISA accredited asset disposal service. Unless the company can guarantee that data is permanently and completely destroyed when the asset is recycled, there is still the risk of a data leak.
Secure Asset Recycling From Absolute IT
At Absolute IT Asset Disposal we offer a secure data shredding and sanitisation service you can rely on. With advanced data cleansing software and a detailed audit trail for each transaction, we ensure that your customers’, employees’ and suppliers’ personal data is responsibly deleted whenever you dispose of old IT assets. To find out more please call us today on 01332 371989.