So, GDPR is to protect the personal data of EU citizens. But what actually is personal data? This can be pretty vague and depends on the context.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Pretty clear right? So basically, it's all the data which can identify a person directly or indirectly.
Social security number
But there are a lot of ways to be able to identify you indirectly when you gather enough data or combine data.
Cookies (this depends on the data in the cookie)
There isn't a definite list of data which is considered personal data so you need to think: can I identify someone with all the data I have about someone? For the tech savvy among us, you can agree there are a lot of possibilities to do this.
There are a few types of personal information which are regarded as ‘special’ under GDPR, and should be handled with extra care, or need additional legal basis to process them.
Race (this can be based on a photograph)
Trade union membership
Biometrics (where used for ID purposes)
Sex life; or sexual orientation
So when creating a new form, designing a landing page, or starting to use a new tool, think about what you're doing, and what kind of data you are working with that could be considered personal data. If you think it is, follow the GDPR!
This was our final blog about the GDPR. Too sad, right? Hopefully, the information provided was useful. If you still have questions, please feel free to contact with our GDPR expert Matthijs via firstname.lastname@example.org. We want to provide you with all the knowledge you need.