GDPR has given many business leaders a headache as to what they are expected to do in order to comply with the data protection legislation. Whilst there are many businesses that went above and beyond what is actually required, there are still many more that struggle to implement the changes correctly and risk being in breach.
Principle of free flow of data vs GDPR restrictions
GDPR sets out requirements and protections for the processing of personal data. A common misinterpretation derives from the fact that not all data is personal data and the data protection principles under GDPR do not necessarily apply to all datasets. From 28 May 2019, the Free Flow of Non-Personal Data Regulation, which is a different new EU regulation, applies to non-personal data and in fact encourages the free flow of data without restrictions. This is likely to add more confusion for businesses who may find it difficult to come to grips with identifying personal data and distinguishing it from non-personal data. Further complications arise when data is a mixture of both – which is the most common form of dataset.
Both personal (with GDPR protections) and non-personal data should be allowed to flow freely between member states under the EU principle of free movement of data. The porting of data between businesses and switching between cloud service providers is becoming increasingly important in a digital economy and should not be hindered. The EU wants to ensure that the data economy is competitive and encourages the industry to develop self-regulatory codes of conduct. This will give consumers more choice, make services more efficient and boosts the use of cloud technologies, which in turn leads to cost savings. A recent study estimates that businesses can save 20% to 50% of their IT costs by migrating to cloud services – this is a significant financial gain.
The EU Commission has recently published guidance as to how to handle personal and non-personal data and what rules need to be followed when dealing with mixed datasets. The guidance gives realistic practical examples and sets self-regulatory approaches supporting the free flow of data. The guidance can be found here:
Personal vs non-personal data
In a nutshell, personal data comprises of any data that allows the identification of a person and non-personal data is any other data. Personal data includes names, email addresses, date of birth and other information that identify individuals. Personal data can be made non-personal by anonymisation or pseudonymisation. This will get around the GDPR restrictions but care should be taken if the persons in questions can still be identified with the help of additional information, as the data will still be classified as personal data.
The new regulation makes clear that the free flow of non-personal data should not be hindered. That means businesses should take care not to put up any barriers to data exchanges by mistakenly over-applying GDPR restrictions to non-personal data.
Mixed datasets, as the name suggests, comprise of both personal and non-personal data and are the majority of datasets in today’s data economy. They include for example a company’s tax record, datasets in a bank or anonymised statistical research data. The restrictions imposed by GDPR only apply to the personal part of the mixed datasets and do not impact the non-personal part of the data.
However, if the personal data is inextricably linked to the non-personal data and the two cannot easily be separated for practical reasons, GDPR fully applies to the whole set, even if the part of the personal data is minimal. That means GDPR takes precedence over the Free Flow of Non-Personal Data Regulation in respect to some mixed datasets.
Practical example (taken from the EU Commission’s Guidance)
Some banks use customer relationship management (CRM) services provided by third parties that require a client's data to be made available in the CRM environment. Data held in the CRM service will include any information needed to effectively manage the interaction with the customer, such as their postal and email address, their phone number, the products and services they purchase, and sales reports, including aggregated data. These data can therefore include both personal and non-personal customer data.
Data protection is a complex field of law and it is crucial to get it right. If you have concerns over handling your company’s data or find yourself in a dispute, contact Beatrice Bass.