The new definition of personal data in the GDPR era

Given the attention that the upcoming General Data Protection Regulation has received over the last few months, by now most businesses will be well aware of its aim; to transform the way that data is viewed, both in terms of protection and privacy.

It’s an issue that is front of mind for employers and employees alike. Everyone, and every business, is faced with the same compliance challenge. A challenge that now will play a role in all decisions, whether they’re about changes to business infrastructure or updates to a company’s offering.

>See also: The multinational impact of GDPR

For many organisations, the journey to ensure that all systems and technologies are compliant is an ongoing one.

And, although many of the headlines have honed in on the hysteria surrounding the 25th May- or ‘deadline day’ as it’s become known- who says that change has to be a negative thing?

A change in mindset

Personal data is at the heart of the new regulation. Of course, the importance of protecting it is not a new concept but, as of May, the potential consequences for failing to do so threaten to be higher than ever before.

But what constitutes personal data?

Well, under the new regulation its definition is set to change. ‘Personal data’ will now refer to “any information relating to an identified/identifiable natural person”. For the first time, this will include online identifiers, such as IP addresses. It’s a bit of a mindset change to say the least, and something that businesses need to be working on embedding into their offering and their services.

>See also: GDPR – managing your data has just become more important

Businesses need to bear this new definition in mind whilst focusing their efforts on the analysis of any databases and systems within their current infrastructures and reviewing any data management practices.

The initial analysis process will probably lead to some changes. It’s to be expected, given that the purpose of GDPR is to improve the way that organisations collect, store and use personal data.

Some businesses may find themselves having to review the management of their core databases and the way that they regionalise data within various data centres.

Under the new regulation, the replication of data will become far more restricted. Organisations will no longer be able to copy core databases as freely. Instead, it will be up to their customers to specify which region- and even which data centre- they’d like their core information to reside in. It’s all part of the new ‘opt in’ system that GDPR will enforce.

>See also: GDPR: Compliance to commitment

This will be a concern for many organisations, especially those providing a service that relies heavily on quick and efficient response times to customers. This is because further distance often equals more time. If users are physically further away from their core database information, they can be subject to delays- for example, when accessing web or cloud applications.

It seems as if this is an unavoidable consequence of compliance- at least it is at this stage. It’s a challenge that many companies will face and at the moment there is little on offer in the way of a solution.

Turning a negative into a positive

So yes, the GDPR preparation stages are undoubtedly turning into quite a stressful process for many business leaders.

But it shouldn’t all be doom and gloom. After all, the regulation is all about protecting personal data and- therefore- individuals. It could even be seen as an opportunity to review any services and make improvements.

>See also: The General Data Protection opportunity

Rather than full of panic, the next few months have the potential to be a great time for businesses to reflect and strengthen their offering. The regulation will injected a new perspective into decision making, alongside the new definition of personal data and businesses should embrace that.

Organisations might still feel like they are at the start of a long and hard journey…

And there’s nothing wrong with that. 2018 might be here, but the ‘Complete Guide to GDPR’ still doesn’t exist.

There’s no checklist and businesses can’t complete one area of compliance, tick it off and then forget about it as they move onto the next. It’s a continuous journey and a learning curve for all those on it.


Sourced by Richard Walters, CTO, CensorNet

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics