What is GDPR
GDPR, a General Data Protection Regulation, is a regulation that aims to improve personal data protection in European Union. It becomes enforceable from 25 May 2018.
Below you will find boring 88 pages long official text of the regulation:
What is Personal Data in GDPR
Definition (Article 4 (1)):
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
In other words, it is any data that can lead to the identification of specific (living) person. It can be as obviously identifiable data as name, but it can also be a combination of "innocent" data such as age, height/weight, wealth, job position, company, city, etc. as when combined can allow for idenitifcation of a person.
Special categories of Personal Data in GDPR
GDPR defines special categories of personal data (sensitive data) that should be protected with additional means, and should not be collected without explicit consent, good reason or a few other exceptions. Those categories are:
- racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- trade union membership,
- genetic data, biometric data,
- health data,
- sex life and sexual orientation.
Examples of Personal Data you can find in your databases
- First name, last name/surname, maiden name
- Email address
- Home address (street, zip, postal code, city)
- Phone number
- Date of birth
- Bank account number
- Credit card number
- National Identification Number, (Social) Insurance Number, Social Security Number
- Taxpayer Identification Number, Tax File Number, Permanent Account Number
- Passport number, national ID number, driver's license number
- Vehicle registration plate number
- Employee number
- IP address
- Cookie ID
- Location data
- Social media profile IDs/links
- Mobile device IDs
- Employment history, job title
- Education history
Special Personal Data
- Place/city/country of birth
- Spouse name
- Health details
- Medical records
Where to look?
If you want to find where you hold Personal Data in your organizatoin where should you look? Short answer: everywhere. Even a login can be a personal data, and that can be found almost anywhere.
You should look particularly into the following databases:
- Data warehouse
- Web server logs
Making sure your organization is GDPR compliant even narrowing down to databases is not a simple and obvious task. I hope this article made your task a little easier.