GDPR: What Exactly Is Personal Data?

Personal data lies at the heart of the GDPR (General Data Protection Regulation). This is the whole point of the Regulation: it’s what organisations must protect.

However, many organisations are still unsure exactly what ‘personal data’ is.


What does the GDPR say?

The issue is that the GDPR doesn’t provide a definitive list of what is or isn’t personal data. It’s up to organisations to correctly interpret the GDPR’s definition:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)

In other words, personal data is any information clearly about a particular person.

The GDPR further clarifies that information is considered personal data whenever an individual can be identified, directly or indirectly, “by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

That’s an awful lot of information.

In certain circumstances, someone’s IP address, hair colour, job or political opinions could be considered personal data.

The qualifier ‘in certain circumstances’ is worth highlighting, because whether information is considered personal data often comes down to the context in which it’s collected.


Context is everything

Organisations usually collect many different types of information on people, and even if one piece of data doesn’t individuate someone, it could become relevant alongside other information.

For example, a data controller that requests information on people who download products from its website might ask them to state their occupation. This doesn’t fall under the GDPR’s scope of personal data because job titles usually aren’t unique to one person.

Similarly, an organisation might ask what company they work for, which, again, couldn’t be used to identify someone unless they were the only employee.

However, in many instances, these pieces of information could be used together to narrow down the number of natural, living persons to such an extent that you could reasonably establish someone’s identity.

In other words, if you refer to someone with a specific job title at a specific organisation, there may only be one person who fits that description.

Of course, that’s not always the case.

Knowing that someone is a barista at Starbucks doesn’t narrow things down much, for example. In which case, those two pieces of information together wouldn’t be considered personal data.

In practice, however, most organisations don’t store this information without a specific identifier, such as the person’s name or payroll number.


Names aren’t always considered personal data

You might think that someone’s name is as clear an example of personal data as it gets; this literally defines you as you.

But it’s not always that simple.

Many names aren’t unique, which brings us back to a ‘barista at Starbucks’-type scenario. You may exclude a lot of individuals that way, but you can’t pinpoint a specific person.

Only when you combine a name with other information – like an address, a telephone number or a place of work – does a common name become personal data.


See also:


A guide to what is (or could be) personal data

As we’ve explained, it can be hard to say whether certain information meets the GDPR’s definition of personal data.

So, what might constitute personal data, whether on its own or in combination with additional information?

  • Biographical information or current living situation, including names, addresses, dates and places of birth, national identification numbers, phone numbers and email addresses.
  • Looks, appearance and behaviour, including eye colour, shoe size, character traits and shopping habits.
  • Workplace data and information about education, including salary or other earnings, tax information and student numbers.
  • Private and subjective data, including religion, political opinions and geolocation data.
  • Health, sickness and genetics, including medical history, genetic data and information about sick leave.


How organisations should handle personal data

If you’re unsure whether the information you store is personal data, err on the side of caution.

Make sure you’re meeting the data protection principles. Only process data that’s necessary for a stated purpose. Keep it up to date, and for only as long as it meets that purpose.

Also keep it secure. ‘Integrity and confidentiality’ is an explicit principle under the GDPR – but regardless of whether the information is considered ‘personal data’, you don’t want it compromised. Data breaches are both disruptive and expensive.


Ask a DPO if you’re unsure

Those looking for ongoing advice on how to manage the personal data they collect should consult a DPO (data protection officer).

A DPO is an independent expert hired to guide organisations on their GDPR compliance requirements. They’re responsible for many tasks, including:

  • Advising the organisation and its employees on their obligations;
  • Monitoring the organisation’s data protection policies and procedures;
  • Recommending when you need a DPIA (data protection impact assessment); and
  • Acting as a point of contact between the organisation and its supervisory authority.

The GDPR states that certain organisations must appoint a DPO – but even if you don’t fill those criteria, it can be hugely beneficial to appoint one anyway.


Want to appoint a DPO cost-effectively?

If you haven’t got the in-house resources to appoint an internal DPO, you can appoint one externally. This is a practical solution to achieving GDPR compliance:

  • Cost-effective compared to an internal appointment.
  • Access to independent DPO expertise not available internally.
  • No conflict of interest between the DPO and other business activities.
  • Application of best practice in achieving and maintaining compliance with the GDPR.

Specifically in the case of IT Governance, this also gives you access to a suite of GDPR training and compliance solutions.


We originally published a version of this blog in February 2018.

234 Comments

  1. DES PEDLOW 12th September 2018
    • Sophie Meunier 23rd January 2019
  2. Steve 29th September 2018
    • Sophie Meunier 23rd January 2019
  3. John Wells 8th November 2018
    • John Smith 22nd January 2019
    • Sophie Meunier 23rd January 2019
    • Mary 13th August 2021
  4. Laura 27th January 2019
    • Luke Irwin 31st January 2019
      • Johnkelly 16th April 2022
        • Luke Irwin 17th May 2022
  5. Daniel 12th February 2019
    • Sophie Meunier 14th February 2019
  6. Glenn Travers 22nd February 2019
    • Luke Irwin 27th February 2019
  7. Beatrice 25th February 2019
    • Luke Irwin 27th February 2019
  8. Laura 25th February 2019
    • Luke Irwin 27th February 2019
  9. Franco 26th February 2019
    • Luke Irwin 27th February 2019
  10. Marie 26th February 2019
    • Luke Irwin 27th February 2019
  11. Bernadette 14th March 2019
    • Jessica Belton 19th March 2019
  12. Karin Pope 15th March 2019
    • Jessica Belton 19th March 2019
  13. John Robins 2nd April 2019
    • Jessica Belton 4th April 2019
  14. Julie Howes 3rd April 2019
    • Jessica Belton 4th April 2019
  15. Maria Hutton 15th April 2019
    • Jessica Belton 18th April 2019
  16. Mandy White 17th April 2019
    • Jessica Belton 23rd April 2019
  17. Art O Laoghaire 8th May 2019
    • Jessica Belton 17th May 2019
  18. Ruth Whelan 23rd May 2019
    • Jessica Belton 24th July 2019
  19. A. Colao 28th May 2019
  20. D Thompson 4th June 2019
    • Jessica Belton 5th June 2019
  21. carl 5th June 2019
    • Jessica Belton 6th June 2019
  22. Ian 7th July 2019
    • Jessica Belton 12th July 2019
  23. Chris 25th July 2019
    • Jessica Belton 14th August 2019
  24. Sofia 6th August 2019
    • Jessica Belton 14th August 2019
  25. Diarmuid 13th August 2019
    • Jessica Belton 14th August 2019
  26. Gemma 21st August 2019
    • Jessica Belton 2nd September 2019
    • Jessica Belton 24th September 2019
  27. Ann O'Donnell 25th September 2019
    • Jessica Belton 27th September 2019
  28. Fred 27th September 2019
    • Jessica Belton 1st October 2019
  29. Denis 8th October 2019
  30. Jeffrey Clark 11th November 2019
  31. Curcu 18th December 2019
    • Jessica Belton 8th January 2020
  32. Monika 11th January 2020
  33. Duncan Bowers 13th January 2020
  34. Justin 15th January 2020
    • Jessica Belton 20th January 2020
  35. Markos 24th January 2020
    • Jessica Belton 29th January 2020
  36. Marie 25th January 2020
    • Jessica Belton 29th January 2020
  37. Pete 27th January 2020
    • Jessica Belton 30th January 2020
  38. James C. 28th January 2020
    • Jessica Belton 30th January 2020
  39. DJ 3rd February 2020
    • Jessica Belton 6th February 2020
  40. Anne Sen-Oliver 4th February 2020
    • Luke Irwin 4th February 2020
  41. Paul Tucker 19th February 2020
    • Jessica Belton 21st February 2020
  42. Nuri 4th March 2020
    • Jessica Belton 9th March 2020
  43. C Ward 4th March 2020
  44. Mark 9th March 2020
  45. Neva 21st March 2020
  46. injection moulding china 3rd April 2020
  47. David Mac 30th April 2020
  48. Andrew Webb 19th May 2020
  49. Caroline Phelan 24th May 2020
  50. Peter 11th June 2020
  51. Lola 12th June 2020
  52. Lars Branden 8th July 2020
    • Luke Irwin 8th July 2020
      • Nic Malone 2nd February 2021
  53. Mona 17th July 2020
    • Luke Irwin 21st July 2020
      • Mona 10th August 2020
  54. Aundrea Paprocki 27th August 2020
  55. Susanne 27th August 2020
    • Luke Irwin 1st September 2020
  56. Merle Suchy 11th September 2020
  57. Alex Targett 30th September 2020
    • Luke Irwin 5th October 2020
  58. sportstoto 11th October 2020
  59. Carron Kennedy 13th November 2020
  60. Noah 14th November 2020
  61. Dr Vladimir Portnyh 21st November 2020
  62. Daniel 27th November 2020
  63. Jo 4th December 2020
  64. Senan 5th December 2020
  65. Josh Smith 16th December 2020
  66. Mika 18th December 2020
  67. Michael Redmond 24th December 2020
  68. Zain Malik 8th January 2021
  69. 토토365프로 9th January 2021
  70. Max 12th January 2021
  71. M 26th January 2021
  72. instantvitalrecords 3rd February 2021
  73. AJ 6th February 2021
    • Luke Irwin 2nd March 2021
  74. Hamlet 12th February 2021
    • Luke Irwin 2nd March 2021
  75. Jon 17th February 2021
    • Luke Irwin 2nd March 2021
  76. Jo 9th March 2021
    • Luke Irwin 9th March 2021
  77. Taylor Ronald 15th March 2021
  78. Carl Upsall 22nd March 2021
    • Luke Irwin 23rd March 2021
  79. DS 22nd March 2021
    • Luke Irwin 23rd March 2021
  80. Priya Sharma 12th April 2021
  81. zoe 20th April 2021
    • Luke Irwin 26th April 2021
  82. totositezero 11th May 2021
  83. jack 13th May 2021
  84. oncasinosite 13th May 2021
  85. tomas 14th May 2021
  86. totoclinic 18th May 2021
  87. noriter 20th May 2021
  88. mv1004tv 21st May 2021
  89. mvtv 24th May 2021
  90. totovery 26th May 2021
  91. totopolice 27th May 2021
  92. oncasinosite 27th May 2021
  93. JimA 3rd June 2021
    • Luke Irwin 8th June 2021
  94. RicoSuave 20th June 2021
  95. RicoSuave 20th June 2021
  96. casinosite777.info 2nd July 2021
  97. sportstoto.zone 2nd July 2021
  98. baccaratsite.biz 2nd July 2021
  99. casinosite777.info 6th July 2021
  100. sportstoto.zone 6th July 2021
  101. baccaratsite.biz 6th July 2021
  102. Catherine 15th July 2021
  103. mr david reid 24th July 2021
  104. David 25th July 2021
  105. Nicola 4th August 2021
  106. Kelly Carroll 11th August 2021
  107. Andrew 13th August 2021
  108. sportstoto.link 16th August 2021
  109. Anne Guelker 23rd August 2021
  110. Chyrell McLean 25th August 2021
  111. Paula 15th September 2021
  112. sportstototop.com 23rd September 2021
  113. Dawn 30th September 2021
  114. Jon Williamson 4th October 2021
  115. Anon 5th October 2021
  116. Sally 13th October 2021
  117. NDC Management 20th October 2021
  118. Johann 21st October 2021
  119. Roy 25th October 2021
  120. Galina 28th October 2021
  121. Ella 2nd November 2021
  122. totosport 3rd November 2021
  123. majorsport 5th November 2021
  124. Ian Longman 10th November 2021
  125. David 3rd December 2021
  126. Audintel 24th December 2021
  127. Audintel 29th December 2021
  128. E 1st January 2022
  129. shafeeq 26th January 2022
  130. Access Doors and Panels 26th January 2022
  131. Vipnumbershop 29th January 2022
  132. Laura Speen 2nd February 2022
    • Luke Irwin 24th February 2022
  133. Dave Clements 9th February 2022
    • Luke Irwin 24th February 2022
  134. Michelle 9th February 2022
    • Luke Irwin 24th February 2022
  135. Themedsfly 11th March 2022
  136. Lynda 10th April 2022
    • Luke Irwin 17th May 2022
  137. Helen Jurd 14th April 2022
    • Luke Irwin 17th May 2022
  138. Mike 25th April 2022
    • Luke Irwin 17th May 2022
  139. John 26th April 2022
    • Luke Irwin 17th May 2022
      • John 27th June 2022
  140. Umar 13th May 2022
  141. Rajesh Patel 18th May 2022
    • Luke Irwin 24th May 2022
  142. Nadine 8th June 2022
    • Luke Irwin 15th June 2022
  143. a2zshopbd 24th June 2022
  144. simthanhdat.net 21st October 2022
  145. Kajal 11th January 2023
  146. Seb 16th January 2023
    • Luke Irwin 16th February 2023
  147. Robert 14th February 2023
    • Luke Irwin 16th February 2023
  148. beylikdüzü masaj salonu 22nd March 2023
  149. Sasha 26th May 2023
  150. Mike 2nd June 2023
  151. itgovernance 5th July 2023
  152. Peter 20th July 2023
  153. Vinit Roy 31st August 2023
  154. Debbie Brocklebank 22nd September 2023
    • Neil Ford 26th September 2023
  155. Alice Val 6th October 2023
  156. Peter Caddy 24th October 2023
  157. Mariska 13th December 2023
  158. Christian Kronborg 22nd January 2024
  159. Tom Holland 24th January 2024
  160. Al 13th February 2024
  161. John 10th April 2024
  162. Jeremy Squibb 10th April 2024
  163. Mateusz Kula 14th April 2024

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.