Personal data is labelled in may different ways. The new oil. The new gold. A new digital currency. There will be many more labels, as data has become extremely valuable. But what is personal data, when does the European General Data Protection Regulation, GDPR, apply, and is there a difference between non-personal data and personal data, anonymous data and identifiable data?
When Maersk uses data for container logistic planning and Vestas to estimate where best to place wind turbines, there are very few issues regarding privacy – if any. The data they use is not personal data. It is wind and weather data, product life cycle data, data about traffic, ports and piracy risks. It is all non-personal data. Here the capability of collecting and using data can be a huge competitive advantage without risks of violating any human beings’ privacy.
It is not until those wind data is paired with human identities to e.g. help individuals plan personal sailing routes, that is becomes personal data and you need to take other precautions. With personal data, which is data where you can identify the person behind, you are dealing with human beings and their lives, and here you need to comply with the European General Data Protection Regulation, GDPR.
Types of Personal Data
There are two categories of personal data. ‘Non-sensitive personal’ data and sensitive or ‘special categories of personal data’, according to Birgitte Kofod Olsen, co-founder of DataEthics.eu and partner in the consulting house Carve.
Non-sensitive personal data covers data such as name, address, data of birth and phone number. It is data about your economy, tax, debt, sick days, family condition, house, car, geo-location, browsing behaviour, IP-address, education, CV and job.
Special categories of personal data are sensitive data such as race, political opinion, ethnical background, religious and philosophical opinions, affiliation to workers unions, health, sexual orientation, biometric and genetic data.
The distinction is important, as the GDPR prohibits processing of special categories of data. The prohibition can however be set aside, e.g. if an explicit consent is given by the data subject or national or EU legislation allows the processing of data.
Processing of all types of personal data requires an assessment of the purpose of processing and the collection of personal data; Data has to be relevant and necessary to meet the purpose, and it should stand out as fair and proportionate when applied in a specific context.
Aggregated Anonymous Data
If you can fully anonymise personal data, so no one else can identify single persons in your data set, you are not dealing with personal data anymore, and don’t have to comply with GDPR. Fully anonymised aggregated data can be used to show patterns of behaviour and even predict patterns of behaviour, eg. which neighbourhoods have the biggest risk of crime this coming Saturday and thus need more police cars. Or women 50+ who have been smoking for more than 30 years are in risk of this and this. As long as the persons behind the data are not identifiable, the predictions are okay from an ethical point of view. Here we are not looking neither at the quality of data or the predictions, nor the possible bias reflected in data.
Read more on DataForGood.Science