The General Data Protection Regulation (GDPR) will soon be directly applicable in EU countries and apply to all personal data about human beings, or ‘natural people’ as we’re called in jurisprudence. Businesses within and working with EU countries, or providing services to EU citizens, will need to take these new rules into account in their business practice.
Concluded earlier this year, the GDPR comes into force in 2018. It extends the definition of personal data in its article 5 to: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
This definition includes identifiers that would be considered ‘personal data’, where a person can be directly or indirectly identified, such as from an ID number, a personal address, IP address, telephone number, fingerprints, retinal patterns, hand geometry, drug identification number or images of individuals captured by a video surveillance system.
Your current location is personal data. Where you live is personal data. So is your route to work. But sometimes these things can still be published as open data to unlock greater value for companies, public bodies and society in general.
The GDPR says that datasets containing personal data can only be published as open data by controllers or processors with the consent of the data subject, or on some other legitimate basis (for example, compliance with legal obligations under article 6).
Data can also be published if it is anonymised, but this is tricky and laborious. Controllers and processors are required to provide sufficient guarantees and implement appropriate technical and organisational measures to meet the requirements of the GDPR regulation and ensure the protection of the rights of the data subject. The Information Commissioner’s Office and the UK Anonymisation Network have put together detailed guidance about anonymising datasets.
A register of countries, for example, is clearly not personal data. An address database without data that provides information about owners or occupants such as individual names, house price or identifying details of tenants or landlords is not personal data. Most spatial information such as maps, road networks, cadastre boundaries and information are not personal data so long as they do not include information about the ownership of those areas. Bus timetables would not be considered personal data if all that a dataset consists of is the general times and routes of buses.
These datasets can be combined with lots of data – including personal data – to create value, but these datasets themselves are not personal data.
This is where geospatial data comes in. Geospatial data is a valuable attribute in many datasets, but it can make identification of individuals easier.
You need to think about what’s in your dataset. A personalised bus timetable – an individual’s commute, for example – may be considered personal data. This is because you may be able to identify that person through ascertaining their home and work address. The same applies to a route cycled on the weekend or a weekly run.