The GDPR: What exactly is personal data?

Personal data is at the heart of the General Data Protection Regulation (GDPR). However, many people are still unsure exactly what ‘personal data’ refers to.

There’s no definitive list of what is or isn’t personal data, so it all comes down to correctly interpreting the GDPR’s definition:

‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’).

In other words, any information that is clearly about a particular person. But just how broadly does this apply?

The GDPR clarifies that this applies whenever an individual can be identified, directly or indirectly, “by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

That’s an awful lot of information. In certain circumstances, someone’s IP address, hair colour, job or political opinions could be considered personal data.

The qualifier ‘certain circumstances’ is worth highlighting, because whether information is considered personal data often comes down to the context in which it is collected.


Context is everything

Organisations usually collect many different types of information on people, and even if one piece of data doesn’t individuate someone, it could become relevant alongside other information.

For example, a data controller that requests information on people who download products from their website might ask them to state their occupation.

This doesn’t fall under the GDPR’s scope of personal data, because, in all likelihood, a job title isn’t unique to one person.

Similarly, an organisation might ask what company they work for, which, again, couldn’t be used to identify someone unless they were the only employee.


Free PDF download: EU General Data Protection Regulation – A Compliance Guide

Download now


 

However, in many instances, these pieces of information could be used together to narrow down the number of natural, living persons to such an extent that you could reasonably establish someone’s identity.

In other words, if you refer to someone with a specific job title at a specific organisation, there may only be one person who fits that description.

Of course, that’s not always the case. Knowing that someone is a barista at Starbucks doesn’t narrow things down much, for example.

In these cases, those two pieces of information together wouldn’t be considered personal data. However, it’s highly unlikely that this information would be stored without a specific identifier, such as the person’s name or payroll number.


Names aren’t always considered personal data

You might think that someone’s name is as clear an example of personal data as it gets; it is literally what defines you as you. But it’s not always that simple, as the UK’s Information Commissioner’s Office explains:

“By itself the name John Smith may not always be personal data because there are many individuals with that name.

“However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”

However, the ICO also notes that names aren’t necessarily required to identify someone:

“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”


See also:


A guide to what is (or could be) personal data

As we’ve explained, it can be hard to say whether certain information meets the GDPR’s definition of personal data.

However, Cloud services company Boxcryptor provides a list of things that could be considered personal data, either on their own or in combination with additional information:

  • Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses.
  • Looks, appearance and behaviour, including eye colour, weight and character traits.
  • Workplace data and information about education, including salary, tax information and student numbers.
  • Private and subjective data, including religion, political opinions and geo-tracking data.
  • Health, sickness and genetics, including medical history, genetic data and information about sick leave.

How organisations should handle personal data

If you’re unsure whether the information you store is personal data or not, it’s best to err on the side of caution.

This means making sure that the processing of personal data is limited to what is necessary and keeping data for only as long as it meets its purpose.

You should also strongly consider pseudonymising and/or encrypting information – particularly if it is a special category of personal data.

Pseudonymisation masks data by replacing identifying information with artificial identifiers.

Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.

Encryption also obscures information by replacing identifiers with something else. But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.

Pseudonymisation and encryption can be used simultaneously or separately.


Ask a DPO if you’re unsure

Those looking for ongoing advice on how to manage the personal data they collect should consult a DPO (data protection officer).

A DPO is an independent expert hired to guide organisations on their GDPR compliance requirements. They are responsible for many tasks, including:

  • Informing and advising the organisation and its employees of their obligations;
  • Monitoring the organisation’s data protection policies and procedures;
  • Recommending to management when DPIAs (data protection impact assessments) are necessary; and
  • Acting as a point of contact between the organisation and its supervisory authority.

The GDPR states that certain organisations must appoint a DPO – but even if you don’t fill those criteria, it can be hugely beneficial to appoint one anyway.


Become a GDPR expert

You can learn more about your organisation’s data protection requirements by taking our Certified GDPR Foundation Self-Paced Online Training Course

This one-day course is delivered by an experienced data protection expert, and provides a comprehensive introduction to the Regulation and its rules.

It is ideal for managers who want to understand how the Regulation affects their organisation and employees who are responsible for GDPR compliance, and is available in a variety of forms, including online and self-paced.

A version of this blog was originally published on 17 February 2018.

107 Comments

  1. DES PEDLOW 12th September 2018
    • Sophie Meunier 23rd January 2019
  2. Steve 29th September 2018
    • Sophie Meunier 23rd January 2019
  3. John Wells 8th November 2018
    • John Smith 22nd January 2019
    • Sophie Meunier 23rd January 2019
  4. Laura 27th January 2019
    • Luke Irwin 31st January 2019
  5. Daniel 12th February 2019
    • Sophie Meunier 14th February 2019
  6. Glenn Travers 22nd February 2019
    • Luke Irwin 27th February 2019
  7. Beatrice 25th February 2019
    • Luke Irwin 27th February 2019
  8. Laura 25th February 2019
    • Luke Irwin 27th February 2019
  9. Franco 26th February 2019
    • Luke Irwin 27th February 2019
  10. Marie 26th February 2019
    • Luke Irwin 27th February 2019
  11. Bernadette 14th March 2019
    • Jessica Belton 19th March 2019
  12. Karin Pope 15th March 2019
    • Jessica Belton 19th March 2019
  13. John Robins 2nd April 2019
    • Jessica Belton 4th April 2019
  14. Julie Howes 3rd April 2019
    • Jessica Belton 4th April 2019
  15. Maria Hutton 15th April 2019
    • Jessica Belton 18th April 2019
  16. Mandy White 17th April 2019
    • Jessica Belton 23rd April 2019
  17. Art O Laoghaire 8th May 2019
    • Jessica Belton 17th May 2019
  18. Ruth Whelan 23rd May 2019
    • Jessica Belton 24th July 2019
  19. A. Colao 28th May 2019
  20. D Thompson 4th June 2019
    • Jessica Belton 5th June 2019
  21. carl 5th June 2019
    • Jessica Belton 6th June 2019
  22. Ian 7th July 2019
    • Jessica Belton 12th July 2019
  23. Chris 25th July 2019
    • Jessica Belton 14th August 2019
  24. Sofia 6th August 2019
    • Jessica Belton 14th August 2019
  25. Diarmuid 13th August 2019
    • Jessica Belton 14th August 2019
  26. Gemma 21st August 2019
    • Jessica Belton 2nd September 2019
    • Jessica Belton 24th September 2019
  27. Ann O'Donnell 25th September 2019
    • Jessica Belton 27th September 2019
  28. Fred 27th September 2019
    • Jessica Belton 1st October 2019
  29. Denis 8th October 2019
  30. Jeffrey Clark 11th November 2019
  31. Curcu 18th December 2019
    • Jessica Belton 8th January 2020
  32. Monika 11th January 2020
  33. Duncan Bowers 13th January 2020
  34. Justin 15th January 2020
    • Jessica Belton 20th January 2020
  35. Markos 24th January 2020
    • Jessica Belton 29th January 2020
  36. Marie 25th January 2020
    • Jessica Belton 29th January 2020
  37. Pete 27th January 2020
    • Jessica Belton 30th January 2020
  38. James C. 28th January 2020
    • Jessica Belton 30th January 2020
  39. DJ 3rd February 2020
    • Jessica Belton 6th February 2020
  40. Anne Sen-Oliver 4th February 2020
    • Luke Irwin 4th February 2020
  41. Paul Tucker 19th February 2020
    • Jessica Belton 21st February 2020
  42. Nuri 4th March 2020
    • Jessica Belton 9th March 2020
  43. C Ward 4th March 2020
  44. Mark 9th March 2020
  45. Neva 21st March 2020
  46. injection moulding china 3rd April 2020
  47. David Mac 30th April 2020
  48. Andrew Webb 19th May 2020
  49. Caroline Phelan 24th May 2020
  50. Peter 11th June 2020
  51. Lola 12th June 2020
  52. Lars Branden 8th July 2020
    • Luke Irwin 8th July 2020
  53. Mona 17th July 2020
    • Luke Irwin 21st July 2020
      • Mona 10th August 2020
  54. Aundrea Paprocki 27th August 2020
  55. Susanne 27th August 2020
    • Luke Irwin 1st September 2020
  56. Merle Suchy 11th September 2020
  57. Alex Targett 30th September 2020
    • Luke Irwin 5th October 2020
  58. sportstoto 11th October 2020
  59. Carron Kennedy 13th November 2020
  60. Noah 14th November 2020
  61. Dr Vladimir Portnyh 21st November 2020

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.