The GDPR applies to the processing of personal data when running a (non or for profit) business, membership, club, association or any type of organization (online or not).
Because of the definitions in the legal text, GDPR applies to nearly all kinds of businesses and organisations, irrespective of size, type, industry or revenue.
Many business owners who believe that GDPR don’t apply to them, are not clear on what personal data is. And, in short, it’s almost anything.
Personal data in the GDPR is more than you think
Personal data as per the GDPR is any kind of information or assessment of an individual, that can be either directly identified by this information/assessment, or indirectly identified by it, in combination with other information.
Think about yourself for a minute.
Your name, birth date, social security number, shoe size, health record, car registration number, phone number, email address, employee number +++.
All kinds of data/information that could be used to identify you, either directly, such as your name, or indirectly, such as your cell phone number, is considered as personal data in the GDPR.
Other examples of personal data are:
- Personal email address
- Passport number
- IP address
- Pictures (if identifying individuals)
- Invoices (if identifying individuals)
- The shape of your head (!)
The question you should ask, is: Can this piece of information or data identify someone?
Your behaviour patterns are also considered personal data, that is; what you do, how often, and where, because this data relates to you as an individual.
For example; a lot of grocery chain companies ask for your personal shopping data so that they can tailor their recommendations and discount coupons to you, in an attempt to make you a loyal customer.
What is not personal data?
Some data is not considered personal data, such as your company name or registration number, or a company email address that cannot identify an individual, e.g. email@example.com.
Note, however, that a company email address that can identify an individual, is indeed considered personal data. Examples could be initials before the @yourcompany.com or firstname.lastname@example.org.
Pictures where you cannot identify a person, aren’t personal data either.
Remember, to categorise a piece of information as “personal data”, it needs to relate to people that you can identify, either directly or indirectly.
Let’s say that you have a picture from an event or screenshot from a Zoom group call displaying a group of people.
If you (or anyone else) can identify any one individual, this picture/screenshot is personal data. If it’s 100% impossible to identify any one individual, it’s not personal data (which is highly unlikely with a Zoom call if people have their camera on!).
GDPR applies to business-to-business too
Some people believe that GDPR doesn’t apply if they only sell to other businesses («B2B»). This is incorrect.
GDPR absolutely applies to B2B, because personal data will be involved in such sales.
Just think of it; who signs a contract with you? It’s not a company per se – it’s an individual representing the company, signing with her or his name, i.e. their personal data.
So, you see, the short answer is that personal data is almost anything you can think of, if you can tie it to a certain person.
Other examples of personal information could include postal address, credit card number, loyalty program number and much more.
«Special category" personal data (prohibited to process!)
The GDPR specifically addresses what’s called «special category data». These are considered so sensitive that they’re prohibited to process (!).
You still can, though. To do this you need to take extra precautions as outlined in GDPR Article 9. Let’s come back to that below.
For most business owners, the special category of health data is the most relevant one. So, if you know that you process data related to someone’s health, listen (read) carefully now.
This could be as innocent as asking someone if they have any allergies when you’re hosting an event and serving food, or when signing up for your freebie on your gluten-free food blog.
It will most definitely apply if you’re a dentist, doctor, physio therapist, nurse or personal trainer.
It might apply if you’re a coach, if the discussions with your clients include any information about them related to:
- their health
- political, philosophical or religious opinions/beliefs
- criminal matters, or their
- sexual orientation/preferences
Two other special categories data include racial/ethnic origin and trade union membership.
If you know now that you process (collect, record, alter, discuss, store/save, log, register, write down or any other means of processing) these kinds of data, you face a much higher risk of (higher) fines and reputational damages if you don’t take GDPR seriously.
In any case, please read through the GDPR Article 9 to make sure you are familiar with all categories of special data, as I haven’t listed them all here (most of them don’t apply to small business owners, but they might, and it’s your responsibility to make sure you know).
What is «sensitive personal data», then?
GDPR doesn’t include a separate category called «sensitive personal data» (only special category data, as explained above).
A lot of personal data might be sensitive in nature, such as social security number, passport number, credit card number and more, but there are no separate requirements in the GDPR to treat them in any particular way.
However you are required to do a risk assessment of the personal data your process. The security measures you then implement, should be stricter for data that can be considered as "sensitive" (and even more strict for special category data).
So just make sure you know exactly which data falls under the GDPR Article 9 and that you take necessary steps to ensure you process these as per the law.
And, of course, all other personal data as per the rest of the legislation.
This article is written specifically for small businesses and therefore doesn’t include all aspects of the legislation that may apply to larger businesses and public entities. No information on this website constitute legal advice.