What is personal data under GDPR

Personal Data under GDPR

The GDPR came into effect on 25 May, 2018 and imposes serious fines, sometimes amounting to tens of millions of euros, on any businesses, companies or organisations that fail to comply with its strict regulations. Aside from fines, companies can also face civil class action lawsuits that usually carry larger corporate financial risk than the fines themselves. The GDPR is aimed at emphasizing- and supporting citizens’ right to privacy and data protection, an issue that has become extremely significant in an age of cloud storage, data hacking, and identity theft.

The GDPR (General Data Protection Regulation) is a privacy and security law that was drafted and passed by the European Union and is the most stringent data privacy law in the world. It applies to all companies and organisations that process personal data in the EU or data relating to EU citizens.

Fortunately, there are tools and services that help to ensure that you are in compliance with the GDPR. Read on to find out more.

What is personal data under the GDPR?

Any information that can be used to identify an individual, regardless of whether this is achieved by direct or indirect means, is classified as personal data under the GDPR.

Examples of personal data under the GDPR are:

• Names

• ID numbers

• Passport numbers

• IP addresses

• Biometric data

• Nationality

• Ethnicity

• Physical addresses

• Gender and sexual orientation

• Religious beliefs

• Political alignment

• Web cookies

• Nicknames, such as pseudonyms used for social media accounts, etc.

Aside from the things mentioned above, personal data can also be data connected to an identity. They can be facts related to one’s internet and purchase history, interests, subscriptions, memberships. These are pieces of information that - alone or combined - enables inference of identity: Locations, birthday, zip code, license plate, place of work, gender, etc.

What is not considered personal data?

Did you know that there are certain and very specific types of data that could be considered “non-personal data” under the GDPR? The GDPR itself defines non-personal data as “data other than personal data as defined in point 1 of Article 4“.

Data that cannot, in any way, whether it be direct or indirect, be used to identify an individual, is not considered personal data under the GDPR. Here are some examples of data that could, under special circumstances, be considered non-personal data under the GDPR:

• Anonymous data that cannot in any way be used to identify their sender or receiver, especially if it’s information that cannot reveal the identity of a person with or without additional information; age distribution across company departments, number of 'yes' or 'no' replies to a form, click-through-rate (without IP details or similar identifiers), aggregated sales performance of teams larger than 5 persons, etc. 

• Non-personal data that are not pertaining to people, such as city statistics, corporate financial data, transportation time tables, etc. 

It is also important to note that the GDPR is far less specific on what qualifies as non-personal data than it is on what does. Furthermore, even if the data does not contain direct references to a person, it may still be considered personal data because of the possibility of inference. What this means is that someone can still piece together specific information, and with some investigation, connect them to a person. As such, companies can never be too careful when handling information related to their clients and customers.

Who does the GDPR affect?

Any company, business, institution, or organisation that deals with or handles data pertaining to people in the EU is subject to compliance with the GDPR. Considering the daunting nature and sheer size of the GDPR document, especially for small and medium-sized businesses, it is essential for such entities to have access to the right tools that enable the appropriate protection of their clients’ (and their clients’) personal data.

Looking for an industry leader when it comes to privacy and data protection compliance? At e-Boks, we provide all the data protection features that other providers offer in addition to our digital postbox technology and guarantees that your company will be compliant with the GDPR.

You can find out more about their GDPR data security compliance services by sending us an inquiry and signing up for our seamless onboarding process here.

What does the GDPR require of you?

The official GDPR document itself comprises nearly one hundred articles and two hundred recitals and is supported by countless guidelines and rulings specifying the new requirements and implementation for companies and organisations and is thus not exactly light reading for most people.

However, to help you understand the basics of what the GDPR requires, here is a summary: 

1. Be accountable and maintain a record of being so: Organisations must keep on record how personal data is processed, for what legitimate purposes, and how data is protected. Furthermore, maintain a current list of recipients of personal data (suppliers, authorities, partners, etc.) namely where these have ties to countries outside the EU / EEA.

2. Adopt a risk-based approach: Continuously identify and evaluate the risk to the data subjects introduced by your processing activities; Annoyance, inconvenience, embarrassment, financial or reputational impact, significant impact to health, family, housing, employment, or civil rights

3. Identify and apply appropriate lawful basis for processing: Do you need consent from your customer/client/data subject or is the processing necessary for the performance of your contractual obligation? Do you have a legitimate interest in processing or are you obligated by law?

4. Inform data subjects and support their rights: Always keep your processing activities transparent to the data subject and enable them to access (a copy of) their data, move their data, erase their data and be ready to react to objections to profiling and automated decision making

5. Manage your processing activities: Never collect more data than necessary or process- or retain it for longer than necessary; Do you really need the birthday of a job applicant? Did you remember to erase the application of that rejected applicant?.

How can companies improve their compliance with the GDPR?

Is there a simple way to ensure that your company is compliant with the GDPR? Fortunately, there are a number of tools and platforms that aim to make the process of GDPR compliance easier.

The problem is that most of them only deal with one aspect of data security, and complete packages that meet all of the GDPR’s criteria are rare. Fortunately, we at e-Boks are considered the industry leader when it comes to data protection. Our digital postbox technology is specifically aimed at helping companies ensure that they comply with the regulation even when sending and distributing personal information of the most sensitive kind. 

At e-Boks, we help companies operate seamlessly across borders. We offer assistance with GDPR compliance, as well as the sender and receiver validation. e-Boks' solution ensures a high level of protection of personal data and enables users to exercise their rights on-demand through intuitive service functionality and guarantee document exchanges between verified senders and recipients.

How is e-Boks different?

We at e-Boks have established our business by delivering a digital postbox that enables digital distribution, interaction, and storage of digital information. For users, a digital postbox works similarly to the way that traditional email does, but there are some major differences between the two.

Differences between e-mail and a digital postbox

A digital postbox is a closed network that requires both the sender as well as the recipient respectively to verify their identities by means of a nationally issued (or equivalent) ID. This eliminates spam and fraudulent senders and guarantees that messages will be delivered to the assigned recipient and only him or her.

In practice, users’ identities are verified upon each login against an identity service chosen by the customer. The sender of data can rest assured that only the intended recipient can and will receive it. 

The e-Boks digital postbox guarantees that users have full control, including access, edit, portation, and erasure over their profile data, received messages, and other post box contents. Any unwanted data, such as spam, advertising, or hacking attempts, can therefore be avoided completely.

The e-Boks platform is already used actively in a number of countries, including Norway, Sweden, Ireland, Greenland, and Denmark.

Make e-Boks an important part of your solution

The solutions we provide have been adapted to the new personal data regulations to meet the requirements for a secure infrastructure. This means that all documents sent through our platforms comply with the regulations — whether employment contracts, payslips, health information, bank statements, or other personal documentation.

By using e-Boks as a communication channel, you as a sender can avoid any issues with delivery and individual processing of each document type. This is because we offer a comprehensive framework where everything is handled securely and transparently. In addition, all communicati­ons between sender and recipient is encrypted. This means that a third party cannot gain access to the communication that takes place. This encryption also applies to e-Boks itself as we do not have access to the end-users documents.

Start protecting your client and customer data now

If you want to know more about how we at e-Boks can safeguard your business data to meet the EU requirements, you are always welcome to contact us for a discussion about what you can do to comply with the new personal data regulations.