The General Data Protection Regulation ('GDPR') was enforced on 25 May 2018, harmonizing privacy laws across Europe and marking a transformative shift in privacy regulations in two decades. GDPR regulates the manner in which personal data is handled by almost every industry, especially entities that routinely deal with voluminous data in the course of their business.
To better assess the ambit of GDPR, one needs to understand the scope of what kind of information qualifies as 'personal data' and thus warrants compliance by entities, given that GDPR applies only if processing of data concerns personal data. In its essence, personal data refers to any information that pertains to an identified or identifiable natural person and data which can be assigned to such persons in any manner. Let's break down the key elements here:
Who Does This Apply To?
Crucially, the scope of personal data refers to data which is attributable to natural persons. In other words, data protection norms do not apply to information concerning non-natural persons (i.e. legal entities) such as companies, LLPs, societies, foundations, etc.
What Kind Of 'Information' Does This Apply To?
The scope of 'any information' has deliberately been kept broad and open-ended in order to take into consideration various kinds of sensitive personal data. Personal information can be directly or indirectly attributed to an individual in various ways, starting with the most obvious details such as name, address/location, social or financial details (such as unique income tax ID, credit cards, bank accounts, social security number, etc.). Deeply personal characteristics such as physical and behavioral characteristics of a person fall within this ambit too.
GDPR also distinguishes between protection of personal data and a special category of 'sensitive special data' for identifiers such as race, ethnicity, religious, political and ideological affiliations, biological and biometric information (e.g. fingerprints, disease profile), to name a few. Sensitive personal data, by its very nature, requires a higher degree of protective measures.