- Data basics
- DPO's Blog
Everything you need to know about personal data
By eleanor blackwood
Sat 20 June 2020
Personal data is a term that's used a lot in the news, business and conversation, but what actually is it?
What is personal data?
Legally, 'personal data' is any information that allows a living person to be directly, or indirectly, identified.
So, any information that’s specific to a person’s physical, physiological, genetic, mental, economic, cultural or social identity can be classed as personal data.
There are many different types of personal data:
So to recap, some common types are:
✔️ Postal address
✔️ Contact details such as your email address and telephone number
✔️ Date of Birth
✔️ ID Numbers- such as passport, drivers license and National Insurance number
✔️ Mobile phone GPS
✔️ Cookie identifiers
✔️ Interests (as long as it doesn’t give away ‘sensitive’ data) - such as magazine subscriptions, social media and app activity, music and entertainment channels
Some personal data also counts as 'sensitive' and is subject to tighter restrictions, such as:
- Racial or ethnic origin
- Political opinions, religious or philosophical beliefs
- Trade-union membership
- Genetic data- such as blood type, gender and any other genetic characteristics
- Biometric data- such as, fingerprints and facial images
- Health data
- A person’s sexual life or sexual orientation
Does this apply only in the UK?
No, the above definition of personal data is taken from the General Data Protection Regulation (GDPR) which is EU-wide. One of the main strengths of GDPR is that each country can tailor it to their individual needs.
When the UK Government did this, it resulted in the Data Protection Act, which treats personal data almost identically, except that it adds a few more types of data that count as personal data. It also adds to the 'sensitive' personal data list, such as crimes allegedly committed, and court proceedings data.
What is not personal data?
There’s actually no definitive list of what is and isn’t personal data, but in general, any information that can’t be traced back to a ‘living’ person isn’t considered personal data. It all comes down to context.
For example, a person’s name doesn’t always count as personal data because there could be lots of people with the name ‘John Smith’. But, if a name is combined with other information, like an address, online activity or date of birth, then it's usually enough to clearly identify just one individual. So in that context, a person’s name would count as personal data.
Some examples of items not considered to be personal data:
- a company registration number
- an email address such as firstname.lastname@example.org
- anonymised data
How is personal data used?
Personal data can be used in many different ways, so this list is by no means exhaustive, but here are some examples of what your personal data may be being used for:
- The day-to-day functioning of your life : the saving of log-in details, shopping baskets, and payment details all rely on the saving of your data to use at a later date, and help your online experience run smoothly. Data can also be used to secure other data, for example, your phone can use your fingerprint or face ID to authorize access to your phone.
- Academic research : Researchers in any academic discipline can ‘study social media posts and other user-generated data’ to learn more about people. As Seth Stephens-Davidowitz’s research revealed, people’s thoughts and behaviour are usually better gathered from sites like Google than traditional surveys. For example, he found that less than 20% of people admit they watch porn, ‘but there are more Google searches for “porn” than “weather.”'
- Social media: information about when you're typically online, where you’ve been, who your friends are and have been, is all stored. This data can be used to help you connect with your friends and followers. Most of this is not deleted, and some of this is used to market to you more effectively, too.
- Employer activities 🔍: employers store and analyse personal data to different extents, with many using it to make changes to the work environment. Employers may also analyse your personal data in the hiring process. To give you an idea, a survey by CareerBuilder in 2018 revealed that over 50% of employers didn’t hire a candidate because of their social media content.
- Tailoring the consumer experience : businesses can analyze customer behaviour and adjust their goods and services to better suit them. For instance, Instagram adjusted their algorithm in 2018 and switched from showing user’s their news feed in chronological order, to one based on the accounts they most interacted with and who’s content they were most likely to find engaging. This data is also passed onto advertisers, who use it for strategic targeting.
- Making money : Data can be monetised. This is because advertisers can use data to create ‘data profiles’ on individuals, containing things like their spending habits, likes, and even their current mood, to target them with relevant ads. Advertisers can also bid for personal data in real time. Data brokers, and any company that collects and sells customer data, can profit greatly because of this industry. Personal data is very valuable: according to the Financial Times it’s a $76bn industry estimated to be worth $200bn by 2022.
Here’s an example to give you an idea of how a shoe retail company could use personal data:
- Name: to identify you
- Location: where you are likely to shop
- Occupation: the kind of clothing required
- Income level: what you are likely to spend
- Spending habits: what you are likely to buy
- Subscriptions: to determine related likes and wants
While some uses of data are purely for the benefit of the consumer, such as tailored advertisements that have been consented to, there are other practices that are legal but tend to alarm consumers, such as data profiling. To read more about that, see our blog.
How long can personal data be stored for?
There’s no legal limit for keeping personal data. Under the GDPR, data should simply not be stored for any longer than it’s needed.
The guidelines are vague, and how long companies can keep your data for entirely depends on what your data is being used for. For example, since an employee can claim breach of contract within 6 years of the alleged breach, it’s reasonable for a company to store performance and employment contract data for six years after an employee leaves.
In comparison, a reasonable length of time for a company to store an unsuccessful CV is six months because that’s the window of time in which an applicant can file a discrimination claim. A company should always be able to justify the time-period chosen to store personal data for.
If you’re concerned about how long a company is keeping your data, you can get in touch with them directly or send a request via Rightly.
Can I ask a company to delete my data?
Yes, you have the right to ask a company at any time to delete your data.
Current legislation, such as GDPR and The Data Protection Act, gives you more rights over your personal data than ever before. It fundamentally exists to protect the rights of individuals. That means you as a consumer.
The right to delete your personal data is one of your eight rights under GDPR. To send deletion requests through the Rightly platform, see how it works.
How do I know if my personal data has been compromised?
It can be difficult to know if your personal data has been breached, especially if some data breaches aren’t reported on. Sometimes breaches aren't reported because the company isn't notable enough to get press coverage, sometimes the company themselves hasn't reported it to avoid fines and negative press coverage. Data breaches are a big issue, in the last 12 months alone, up to 88% of UK companies have suffered data breaches.
Luckily, there are some ways you can check for data breaches yourself. We recommend:
- Regularly check the site Have I Been Pwned. Just type in your email address, and it will show you if there have been any data breaches related to that email address.
- Watch the news to keep up with any new big data breaches, you can then use the Rightly platform to tell them to delete all of the data a company that you no longer trust is holding on you.
What do I do if my data has been compromised?
First of all, we’re sorry that this has happened. We know it can be distressing and we hope we can help. Here are a few immediate steps you can take:
1️⃣ Immediately change all of your passwords
2️⃣ Keep a close eye on your bank accounts and credit reports
3️⃣ Be on alert for scams. Note anybody contacting you asking for your details
4️⃣ Make a complaint to the company who lost your data
5️⃣ Make a complaint to the Information Commissioner’s Office
If you want to delete your data from the company that’s been breached, you can send a full deletion request through our platform, for free.
How can I protect my personal data?
While the responsibility lies with the company to protect any data they're holding on you, there are some steps that you can take to prevent data breaches affecting you, as well as protecting your personal information more broadly.
13 dos and don'ts to help you protect your personal data moving forwards:
✔️ DO use multiple email addresses
✔️ DO keep passwords private
❌ DON'T share your personal information on social media
✔️ DO avoid scam emails or phishing.
✔️ DO limit the amount of bank cards, ID and National Insurance cards you take out with you.
✔️ DO use anti virus, anti spy and firewall softwares
❌ DON'T use public wifi if you can avoid it
✔️ DO read company privacy policies before entering your details (see our blog)
✔️ Turn off your GPS
✔️ Use a VPN
✔️ Encrypt your personal data
✔️ Update your cookies
✔️ Use a secure browser such as DuckDuckGo
Remember that you can always ask a company what personal data they're holding on you if you're unsure where your data is, or what's happening to it.
How we can help
At Rightly, our goal is to make it easy for people to have more control over their data.
We believe that your data is yours, and yours alone. Using Rightly, you can send requests quickly and easily to multiple companies, decide what happens to your data once you get it back, and also adjust your marketing preferences. Get started below.