You’ve all been incredibly patient, and here’s where it starts to pay off. We can leave that pure theory aside (well, as long as you remember it) and have some fun playing with the rules by practically applying them. The first thing we’ll look at, and have a tinker with, are those troubling terms in the extremely loose definition of Personal Data.
Context is King
The reason these things have to be applied to be understood is that they’re all context dependent. I mentioned that things phase in and out of being personal data all the time, and that can change between one process and another and one department and another. That’s because the context surrounding the processing changes.
You’ll hear people saying things like “Context is key” or “Context is king”, and you’re bound to have already heard the famous answer given by DPOs everywhere “it depends…”. The reason “it depends” isn’t because we like playing coy, it’s because you asked what seemed a simple question, but the DPO hasn’t spent an hour grilling you about the smallest details of the processing yet, so everything is still up in the air.
To explore how all of this works when you put it into in practice let’s start with a simple scenario:
Examples
If I say to you “the person with blonde hair” that could identify anyone in the room, so hair colour is not Personal Data as it doesn’t identify one individual.
If I say to you “the person with the Hawaiian shirt” (assuming there is only 1) then that is Personal Data as you can single out one person.
If a person with black hair walks into the room, then “the person with black hair” or “the person who doesn’t have blonde hair” is Personal Data, because one person is easily identified. The description “blonde hair” is still not Personal Data though, so hair colour simultaneously is and is not Personal Data depending on what colour it is.
If another person, this time with red hair, joins the room neither of the phrases “blonde hair” or “not blonde hair” are Personal Data, but the phrase “black hair” or “red hair” are both Personal Data.
Are you still with me? Hopefully you can see how the context of who is in the room, something you probably can’t control, is changing not only what is and isn’t personal data, but also the level of risk and required controls over time.
The results could also…