The GDPR applies to organizations that process data of EU citizens. Before we continue, let’s clarify what we mean by “process data”. This has a very specific definition. However, to keep things simple, let’s boil it down to mean “holding data”. In other words, GDPR applies to organizations that hold data of EU citizens.
But do you know what type of data this applies to? There are 2 broad categories: personal data and special categories of personal data.
Below is a checklist of the data fields that would be classified into these categories. Take a look.
Personal Data
- Name
- ID number
- Home address
- Location data
- Online identifiers (IP address)
Special Categories of Personal Data
- Racial or ethnic origin
- Political opinions
- Religious beliefs
- Philosophical beliefs
- Health data (i.e.genetic, biometric data)
- Trade union membership
- Sex life or sexual orientation
- Criminal convictions and offenses
If your company holds data of EU citizens and that includes any of the following data fields, continue with your due diligence! Your next step should be to create a Data Inventory to determine what your GDPR compliance roadmap needs to include. We created a handy diagram, called The 10 GDPR Components. Think of this as GDPR, broken down into 10 chunks. Some companies will need to address all 10 components, while other companies will only need to address some of them.