Text description for Figure 1: Mapping the concept of the spectrum of identifiability to data protection law
If a person is directly identifiable or indirectly identifiable
Information is personal data and data protection law applies
If a person is:
- likely to be identifiable, as identifiability risk is insufficiently remote; or
- unlikely to be identifiable, as identifiability risk is sufficiently remote.
These are the next steps:
- Consider the means likely to be used, you should take into account:
- data and its environment
- context, scope and purposes of your processing
- technical and organisational measures you apply.
- Assess the identifiability risk based on objective factors, such as:
- motivation
- competence needed
- cost and time required
- available technologies
- legal gateways and their likelihood of use.
If the information is personal data, then data protection law applies
If the information is anonymous, then data protection law does not apply, but keep under review as appropriate.
If a person is impossible to identify, information is anonymous, and data protection law does not apply, (but keep under review as appropriate).