Does the GDPR apply to all personal data?

Napthens - September 14th 2017

Our specialist technology lawyer, Phil Brown answers the question 'does the General Data Protection Regulation (GDPR) apply to all personal data'?

The short answer is no, the longer answer (which by no means is the longest) is still no, and this is why...

Most people are familiar with the concept of 'personal data', in that it is data which relates to an identified or identifiable natural living person. If you are not clear on 'personal data', then please get in touch as I have some guidance notes available.

However, it is often missed that the GDPR does not apply to all personal data and this is regularly ignored in some of the advice that I have heard being given out (by other advisors), particularly when it comes to business cards. Of course all personal data is valuable, and deserving of protection - but in the context of looking at the GDPR itself it's worth going back to the source. Article 2(1) of the GDPR sets out the material scope:

"This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system"

It's fair to assume that the new Data Protection Bill will also cover two additional areas to be carried over from the Data Protection Act 1998, to sweep up information forming part of an accessible record (health records; educational records and accessible public records) and information held by public authorities that would otherwise be covered under the Freedom of Information Act 2000, in each case to the extent that they aren't otherwise covered by the GDPR.

"Processing by automated means" covers personal data stored in electronic form, as it can be readily manipulated, retrieved and disseminated. As well as information which is taken with a view to converting it into electronic form (for example, a hard copy questionnaire which is to be later scanned, uploaded or re-entered into a system).

The less clear part is whether hard copy personal data is stored as part of a "filing system". Back to the Regulation itself, where "filing system" is defined in Article 4(6) as:

"any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis"

In essence, the question becomes one of structure and size. If specific records relating to an individual can be identified without checking through all the records, then the system is almost certainly going to fall within the scope of the GDPR. If all records must be checked to find reference to an individual (or until a specific individual is found), then it is less likely to fall within the scope of the GDPR.

It's worth noting that time and effort needed to retrieve the information is not the key consideration - a manual filing system may be located across several different locations, it comes down to whether there is a system in place, and how structured that is.

As an example: a drawer full of business cards is unlikely to fall within the scope of the GDPR (that's not to say it shouldn't be protected though, as good practice); whereas a rollerdex of business cards is a filing system under the GDPR, and therefore within scope. Of course, if the detail from the business cards is then inputted into a mailing list, phone address book, or hard copy address book then this would definitely be within scope.

If you require any assistance in preparing for the GDPR, please do not hesitate to contact Phil Brown.

Please click here to view the full regulation.