All you need to know about personal data

In this digital age, and with the enactment of General Data Protection Regulation (GDPR), there has been an intensified focus on personal data and the way businesses handle their clients’ information. Personal data is shared by citizens and clients all the time – with both businesses and governments. And organizations that don’t have a proper handle on personal data risk major fines and penalties.

Because this is such an important topic for businesses, we’ve written this extensive guide and FAQ so you can better come to understand what personal data is – and how you’re required to handle it under GDPR. We’ll be answer:

  • What is personal data?
  • What is the GDPR (General Data Protection Regulation)?
  • Personal data in a business perspective
  • When are businesses considered to be processing personal data?
  • Who owns the data?
  • Secure processing of personal data
  • How NewBanking Identity helps companies collect, verify and store personal data in a secure and easy way that is also 100% GDPR compliant.

Read more about the platform here or contact us to hear more about how we can help your company with KYC compliance.

+45 73 78 00 00
personal data image 1

What is personal data?

In order to understand what personal data is, let’s start with a definition. Personal data is defined by the EU in the General Data Protection Regulation as:

personal data fingerprint icon

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016

In other words, personal data is all information that can be used to identify an individual. According to this definition personal data spans a variety of different informations, including:

personal data name

A name

personal data foto

A photo

personal data email

E-mail address

personal data etnicity

Information about a person’s ethnicity

personal data sound

A sound file

personal data IP

IP address

personal data criminal record

Criminal record

personal data CPR-number

Social Security Number

The list of personal data is therefore potentially inexhaustible.

The GDPR does, however, differentiate between different types of personal data, that need to be processed or handled under less and more restrictive conditions:

personal data normal

General personal data

These include personal data such as names, e-mails, addresses, place of employment etc. They are factual information that are often publicly available.

personal data sensitive

Sensitive personal data (‘special categories of personal data’)

Such as health data, ethnicity and sexual identity. These types of data are very personal and need to be processed with extra care.

personal data special

Social security numbers and criminal record (‘special categories of personal data’)

Governmental information such as social security numbers and criminal records are also a part of special categories of personal data. By some EU countries these are considered a separate category, as they involve classified or protected information that need to be more guarded than even traditional sensitive personal data.

What is GDPR (General Data Protection Regulation)?

The GDPR, or General Data Protection Regulation, is a regulatory framework and directive in EU law on data protection and privacy in the European Union and the European Economic Area. It applies to all personal data, as well as the transfer of personal data outside the EU and EEA. It was implemented in 2018.

Its official name is:

personal data law

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Read more about the General Data Protection Regulation (GDPR).

Personal data in a business perspective

Personal data is ultimately the most valuable information that businesses collect and process. Without this data it’s not possible to run a business in such a digitalized world.

On a consumer level, people would not be able to use today’s digital options, i.e. setting up a bank account, getting a package delivered or in any way buying vital digital services without the release of some form of personal data. There are, of course, certain providers of services and products that don’t need personal data – for example, if you buy a hotdog at a vendor and pay in cash.

With the exception of examples as above, the majority of interactions between individuals and businesses are based on some sharing or exchange and processing of personal data. The increasing digitalization of society and the use of personalized data also gives rise to better and more targeted services. For that reason the exchange of personal data can be considered necessary, or even essential, for both consumers and businesses.

The rules for how businesses process personal information are quite extensive and cover, among other things, the secure storage of personal data.

Read more about the rules here.

When can businesses process personal data under GDPR?

The GDPR – and subsequent local laws – applies the moment businesses ‘process’ personal information. But, as mentioned earlier, the processing of personal data can take many forms. Because the definition is so broad, it in reality occurs the moment a business comes into contact with personal information.

According to the GDPR, processing of personal data applies to all the ways in which you handle personal information. This includes collecting, recording, organizing, systematizing, storing, editing, altering, searching, using, sharing, transmitting, disseminating, deleting – and much more.

personal data law

Verification of information

A specific example could be when businesses need to verify that a given name actually belongs to a person. The business extracts the verification data from a network that the person uses – or from additional data sources that have the authority to verify the truthfulness of the information. This is especially relevant to businesses who are subject to the Anti-Money Laundering (AML) Directive.

If just one type of the above actions occurs, it’s considered processing under GDPR. In order to live up to EU law, all businesses should consider it data processing the moment they come into contact with personal data.

Read more about the General Data Protection Regulation (GDPR).

Who owns the data?

GDPR marked a foundational shift in how broader society views data ownership. Before, it wasn’t necessarily clear who actually owned the data after it had been exchanged between two parties. User rights and the right to gain insight into what personal data is stored by businesses was often unclear. GDPR helped to clarify these issues and principles. It was determined that the data belongs to the person represented by the information. Businesses are allowed to process and use the given data but the ownership and rights will always belong to the registered party.

quote line

Data belongs to the person represented by the information.

The rights of private individuals

What rights do private individuals have in relation to their personal data?

The shift created by GDPR – which clarified the ownership rights of data – lead to that the registered persons gain the right of access, or subject access, to the data stored by businesses about them. A right that, of course, is also important for businesses to understand, as they are required to live up to the laws and regulations.

With the exception of certain outlier cases, private individuals have the right to contact businesses that they believe are processing or storing personal data and gain insight in what data they possess; for what purpose they consider valid for processing your personal data; and when consent for this type of processing was given.

Read more about the Right of Access (Subject Access).

This new understanding of data ownership leads us to the six principles for how businesses should process personal data. Read more below.

Secure processing of personal data

Fundamentally, GDPR requires businesses to protect both internal personal data (on e.g, employees) and external personal data (on e.g. other clients, business partners, criminals), using sufficient security measures.

It’s up to each business to assess which safeguards that apply to different situations.

Businesses typically divided these security measures into two categories:

Technical security measures

Organizational security measures

Among other things, strong firewalls, on-going updates of codes and systems, encryption and a strong IT-infrastructure.

Among the other described procedures, businesses can enact organizational security measures such as clear policies for personal data, security access, courses in correct data processing, and the further education of employees.

If you’re handling sensitive personal data (as defined above), you need to implement more strict security measures. The chosen measures are based on the risk assessment, which is a part of the GDPR’s risk-based approach to data protection.

Read more about data protection here.

Here’s how to get started with personal data under GDPR (The 6 Principles)

Are you interested in the underlying principles of GDPR, you can read Chapter 2, Article 5 of the General Data Protection Regulation.

This outlines the six founding principles for how businesses need to approach personal data. We’re going to explain each one here:

1. ‘Lawfulness, fairness and transparency’

Your business needs to be transparent with clients and customers about how you process their personal data. For example, the language in written communication, such as e-mails, needs to be clear and easy to understand. The clients need to know what is happening – and why. Avoid obtuse language or extensive technical jargon and set time aside to develop good, legible templates to use in the future.

All processing of personal data needs to be fair, secure and based on best practice (for example, by using the best available technology).

And lastly, your processing of personal data needs to be lawful. You need to act in the spirit and letter of the law, when processing personal data. This includes obtaining consent from clients and customers.

2. ‘Purpose limitation’

You can only collect personal data for specific purposes. And it’s important that you inform your clients, that you’re doing this. This also entails that you only use personal data in the context the client has consented to.

3. ‘Data minimisation’

‘Need to have’ is central to data minimisation. Fundamentally, you can only collect the exact personal data needed to complete your expressed goal or purpose.

4. ‘Accuracy’

Ensuring the accuracy of the personal information is an on-going process. For that reason you need to update the data, concurrently. Furthermore, you need to correct or delete data that is inaccurate or unusable for the specific purpose it’s needed for.

5. ‘Storage limitation’

You can only store personal data as long as necessary. Therefore you need to continuously ask yourself: do we still have a purpose for storing this data? It can be a good idea to have a half-yearly or yearly event where you evaluate your stored data.

6. ‘Integrity and confidentiality’

The integrity of the data needs to be maintained. That means ensuring the data’s accuracy and credibility over time.

Simultaneously, you need to process and handle the data with great care and confidence. You can’t allow anyone to gain access to the data. That applies to people outside your organization (for example, hackers), but also people from within (for example, colleagues).

To ensure this, you need sufficient and adequate security measures. The level of security can vary from business to business. As mentioned previously, both technical and organizational security are two methods for protecting the data.

If you have a handle on the six principles, you’ve come a long way towards processing personal data correctly. And it pays off to work within the rules. Violations of the GDPR can result in fines and penalties.

Enforcement Tracker can give you an overview of fines and penalties for violating GDPR in the EU and EEA.

NewBanking – processing personal data easily and securely

If you’ve read along from the top, and have lost your breath over the challenges of working with GDPR and personal data, then you’re not alone. Luckily, there are a number of good solutions for the business challenges of processing data.

NewBanking Identity is a software platform that since 2015 has made it possible for businesses and individuals to exchange information in a transparent and secure way.

For businesses there are a number of benefits from using NewBanking Identity:

Widget icon

Onboarding

Onboard your clients digitally – using secure channels.

ID scan icon

Validation

Setup your own requirements for validation of information.

Documentation icon

Documentation

A full trail and overview of the performed actions and consent for processing.

Compliance gavel icon

Processing

With NewBanking you comply with all legal requirements – both GDPR and AML.

Curious about NewBanking Identity?

Then request a free demo.

Book a demo