What is personal data under GDPR?

07/11/2017

A week ago, we hosted our day of insight at the Shard. It was an event focussed primarily on presenting what functionality City Dynamics can offer both our existing and potential clients operating within the financial sector, through Microsoft Dynamics 365. However, we also took the opportunity to discuss an elephant in the room for many of those who attended, the dreaded GDPR. 

Straight away, just speaking to a few of those who came to the event, who ranged from CFOs and directors of large London based companies, to chartered accountants, it was clear that there were a lot of misconceptions and uncertainties surrounding what GDPR means. We’ve already discussed in our previous blogs what the changes mean for those who handle users’ personal data. But what exactly is personal data? 

Under GDPR the definition of what constitutes personal data is broad: 

“any information relating to an identified or identifiable natural person "data subject" […]one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” 

Under GDPR, personal data includes data such as names, gender, address, etc. For those companies who hold this information on their clients, under GDPR’s new rulings, companies holding such data will need to provide, on demand, an explanation of what this information is being used or held for, as well as a copy of all personal data held on the person making the request. This is called a Data Subject Request (DSR). 

Satisfying a Data Subject Request 

The DSR is a central focus of GDPR, introducing a new procedure for people to go about requesting their data from companies. One major change to the old procedure is the removal of the £10 fee, meaning that a DSR request incurs no charge. As a result of this, when GDPR comes into effect on May 25th 2018, many companies are expecting to receive large amounts of DSRs as people rush to discover who holds their personal data. Will your company be able to respond multiple requests within the provided timeframe?