GDPR – Is it special?
For many organisations, keeping the personal data they handle safe, is nothing new, especially if they already have robust Data Protection Act 1998 procedures in place (you do already have that don’t you?). What is new is that the GDPR requires organisations to document data collection and processing policies and procedures before you go about doing it. Then, it must be possible to show on-going compliance with your own policies and procedures. Not forgetting to determine the lawful basis for doing it as well!
In an earlier article I looked at processing personal data, but what about the special categories of data – do they need to be handled any differently?
The special categories of personal data
The special categories of personal data are:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Grade union membership;
- Genetic data and biometric data for the purpose of uniquely identifying a natural person
- Data concerning health;
- Data concerning a natural person’s sex life or sexual orientation.
As with personal data you must consider the lawful basis for processing the special categories of personal data:
- With the explicit consent of the data subject, unless reliance on consent is prohibited;
- Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement;
- Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent;
- Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members and provided there is no disclosure to a third party without consent;
- Data manifestly made public by the data subject;
- Necessary for the establishment, exercise or defence of legal claims;
- Necessary for reasons of substantial public interest and has appropriate safeguarding measures;
- Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services;
- Necessary for reasons of public interest in the area of public health;
- Necessary for archiving in the public interest, or for scientific, historical or statistical research.
Data Protection Impact Assessments
However, the GDPR introduces a new requirement to carry out a data protection impact assessment (DPIA) when a type of processing is likely to result in a high risk to the rights and freedoms of data subjects. DPIAs are mandatory in the case of large-scale processing of special categories of data and you must consult your data protection officer (DPO), if appointed, when carrying out a DPIA. Where appropriate, you must also seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
Anonymisation and Pseudonymisation
You can reduce the sensitivity of the personal data you are processing in a few ways:
- The best solution is to use anonymous data. If the data have been correctly anonymised (meaning that the individuals cannot be identified any more), they no longer count as personal data and therefore the GDPR does not apply. Data used for academic research is always anonymised wherever possible, and this approach is also suitable for large scale data processing for marketing purposes. One of the methods that may be used is to combine data to form groups. If this method is chosen, the amount of data must be large enough to ensure each group always contains a reasonable number of individuals (a minimum of 50 people often applies). You need to be aware that the wider the variety of data you collect, the more likely it is that a person will be identifiable if the data is combined;
- Another commonly used method is pseudonymisation. In this method, all the elements in a dataset that identify an individual are removed and replaced by a meaningless key. The file containing the keys is stored separately. Although such data still qualify as personal data, because they relate to an identifiable person, the risk that there will be an impact on any of the persons concerned is much lower. Pseudonymisation is therefore a good security measure for the special categories of personal data that have to be transferred, for example.
The GDPR is designed to protect personal data in order to protect privacy and individual’s rights. This does not include anonymous data, but all other information which may identify a data subject directly or indirectly, including pseudonymised personal data, is covered by the GDPR. You should consider whether even anonymous data can be used to identify an individual as the more data gets combined and aggregated, the more substantial the personal data becomes and the more difficult it becomes to de-identify and the higher the risks and responsibilities.