Part 2: Personal data – what it is in general and in our line of business
The upcoming GDPR aims to strengthen the protection granted to EU citizens with regard to the processing of their personal data. In our previous article, we went through some important dates, explained the reasons for the GDPR coming into effect and went through the most important differences between the current and upcoming legislation.
In this article, we will take a closer look at the term “personal data” – what it actually means and, more specifically, what personal data is in Pagero’s line of business as a provider of e-commerce services to companies all over the globe.
Categorisation of personal data
Here at Pagero, we are working hard to make the necessary adjustments before the GDPR entering into force. We have chosen to sort the data into five different categories, depending on the level of effort needed to identify or expose the person in question. This classification will help us to do our own internal risk assessment as to what type of data is most vulnerable to exposure or the exposure of which could have the most serious consequences.
- The first category is the most obvious – directly identifiable personal data – which means any information that can be directly linked to a specific individual, such as their social security number, date of birth, name, address and phone number, email address (it is important to bear in mind that even if the email address is firstname.lastname@example.org, it is considered personal data by default), geolocation and registration plates.
- External indirectly identifiable personal data – This is data which may seem anonymised, but which in combination with other data in possession of a third party can be used to identify the person. Examples are IP addresses, cookies, credit card numbers and external identities, such as Facebook and Twitter profiles.
- Internal indirectly identifiable personal data – This type of data (e.g. a customer number or employment number) may well seem anonymous to the untrained eye, but with the right tools, it can be used to precisely identify a person.
- Other identifiable personal data – This type of data includes the personal data in analyses of buying preferences and such. Examples include items purchased or account balance.
- Sensitive personal data – This includes information such as race or ethnic background, political ideas, religious beliefs, health details, biometric or genetic information, etc. It is of course very bad for such information to be exposed, but it is important to keep in mind that in this case as well, additional information is usually required to identify the person. Of course, if information is exposed about a leg transplant, for instance, yes, it is sensitive, but if you cannot connect it to an individual, it cannot be regarded as personal data.
Typical situations in which Pagero processes personal data
For us at Pagero, it is of course important to identify the presence of personal data in the e-documents we process on behalf of our customers. In our field of business such data would typically be present as follows:
- Certain elements of e-documents may contain personal data. The trading parties may be natural persons (sole traders). The official name of the legal entity may identify one or more natural persons. References may also include identifiers of natural persons.
- Due to the character of the business, certain e-documents may be required to provide evidence that services have been delivered to designated natural persons. For instance, within healthcare, social or educational services, the trading party may have to indicate the person who has received the product or service. Such a scenario will often include sensitive personal data.
- And, of course, contracts and user accounts, where it is frequently necessary to disclose personal details.
Hopefully, you now have an idea of what personal data is. What each company needs to do is look at its own business and processes and find out where and when personal data is being processed.
There are, of course, a number of other terms that it is important to understand when dealing with the GDPR from an e-document processing perspective. In our next article, we will look more closely at the core terminology and place Pagero in the GDPR ecosystem.
This article was written by Nazar Paradivskyy, Head of Compliance at Pagero Group, together with Fredrik Hjorth, a consultant from Transcendent Group. He is currently helping Pagero to implement the changes required by the GDPR. Fredrik has long experience of legislation in the privacy field and has solid experience from banking and finance.