What does the GDPR definition of personal data include?

The European Union's General Data Protection Regulation (GDPR), in effect on May 25, asserts that everyone has a right to the protection of their personal data.

With that, GDPR restricts how companies collect, store and use the personal data of customers. The rules give consumers the power to deny the collection of their personal data, to fact check data that is collected and even to have their data erased from a company's databases.

The GDPR definition of personal data includes all the information related to a person that can be used to directly or indirectly identify them. This personally identifiable information can consist of anything from a name, a photo, an email address or bank account details to posts on social networking websites, biometric data or the IP address of a person's computer, according to the EUGDPR.org FAQ page.

Whether an IP address should be considered personal data has been subject to debate, but European Union (EU) lawmakers ultimately ruled it to be personal data under GDPR because people can be identified through the IP addresses they use.

All types of personal data have to be handled in compliance with the GDPR legislation's data processing rules. These rules require organizations to process personal data lawfully, fairly and in a transparent manner, and the data that's collected must be used for specific and legitimate purposes, limiting data collection to only that which is necessary for valid business reasons.

There are gray areas in the GDPR definition of personal data that companies must make clear through documentation. For example, a company may consider recording a person's eye color to be necessary for legitimate business purposes, but it needs to be able to prove that the information serves a legitimate purpose in accordance with the GDPR definition of personal data.

The way to validate that any type of personal data is necessary is through business requirements documents, according to Anne Marie Smith, vice president of education and chief methodologist at EWSolutions, a data management consulting firm in Bloomingdale, Ill.

"You need to document that you need to know someone's eye color or what their favorite food is, and you'll need to prove how that data satisfies a stated business goal so that auditors can clearly see the necessity," she said.

Before a company can collect any personal data at all, it needs to obtain informed, unambiguous consent from an individual. This might involve having the person check a box to confirm consent.

The GDPR definition of personal data also requires accuracy, and organizations must take measures to keep their data up to date. The personal data that companies collect must also be processed in a manner that ensures data security to protect against unauthorized use or data loss.

In addition, personal data can be retained no longer than is required for the purposes for which the data is collected and processed, and anyone in the EU can request that their personal data be removed from corporate databases located in EU member countries or outside of them.