The GDPR: What exactly is personal data?

Personal data is at the heart of the EU General Data Protection Regulation (GDPR), but many people are still unsure exactly what ‘personal data’ refers to. There’s no definitive list of what is or isn’t personal data, so it all comes down to properly interpreting the GDPR’s definition:

“‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’).”

In other words, any information that is clearly about a particular person. But just how broadly does this apply? The GDPR clarifies:

“[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

That’s an awful lot of information. In certain circumstances, someone’s IP address, hair colour, job or political opinions could be considered personal data.

The qualifier ‘certain circumstances’ is worth highlighting, because whether information is considered personal data often comes down to the context in which data is collected. Organisations usually collect many different types of information on people, and even if one piece of data doesn’t individuate someone, it could become relevant alongside other data.

For example, an organisation that collects information on people who download products from their website might ask them to state their occupation. This doesn’t fall under the GDPR’s scope of personal data, as, in all likelihood, many people have that occupation. Similarly, an organisation might ask what company they work for, which, again, couldn’t be used to identify someone (unless they were the only employee).

However, when collected together, these pieces of information could be used to narrow down the number of people to such an extent that in many instances you could reasonably establish someone’s identity.

Of course, that’s not always the case. For example, knowing that someone is a barista at Starbucks doesn’t narrow things down much. In that instance, the data would need to be combined with more information, such as the person’s name.

You might think that someone’s name is always personal data, but it’s not that simple, as the UK’s Information Commissioner’s Office explains:

“By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”

However, it also notes that names aren’t necessarily required to identify someone:

“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”

Discover more about the GDPR in our free green paper, EU General Data Protection Regulation – A Compliance Guide

Download your copy>>

A brief guide to what is (or could be) personal data

As we’ve explained, it can be hard to say whether certain information meets the GDPR’s definition of personal data. However, Cloud services company Boxcryptor provides a list of things that could be considered personal data, either on their own or in combination with other data:

  • Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses.
  • Looks, appearance and behaviour, including eye colour, weight and character traits.
  • Workplace data and information about education, including salary, tax information and student numbers.
  • Private and subjective data, including religion, political opinions and geo-tracking data.
  • Health, sickness and genetics, including medical history, genetic data and information about sick leave.

How organisations should handle personal data

If you’re unsure whether the information you store is personal data or not, it’s best to err on the side of caution. This means making sure data is secure, reducing the amount of data you store, collecting only as much data as necessary to complete your processing activities and keeping data for only as long as it meets its purpose.

The personal data that you collect should be pseudonymised and/or encrypted. Pseudonymisation masks data by replacing identifying information with artificial identifiers. Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.

Encryption also obscures information by replacing identifiers with something else. But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.

Pseudonymisation and encryption can be used simultaneously or separately.

With only a few months until the GDPR takes effect, it’s important that you take steps now to secure the personal data that you hold. Organisations that fail to do this will face severe disciplinary action from data protection authorities.

Properly handling personal data is only one thing organisations need to do to comply with the GPDR. Those who want advice on how else to comply with the GDPR should download our free green paper: EU General Data Protection Regulation – A Compliance Guide.

This guide provides an overview of the key changes introduced by the GDPR, the scope and impact of the Regulation and the areas that organisations need to focus on.

This green paper is also available in French, Italian and Spanish.

 Blog disponibile in italiano

Further reading:



GDPR Starter Bundle email banner - 7 day trial


  1. DES PEDLOW 12th September 2018
    • Sophie Meunier 23rd January 2019
  2. Steve 29th September 2018
    • Sophie Meunier 23rd January 2019
  3. John Wells 8th November 2018
    • John Smith 22nd January 2019
    • Sophie Meunier 23rd January 2019
  4. Laura 27th January 2019
    • Luke Irwin 31st January 2019
  5. Daniel 12th February 2019
    • Sophie Meunier 14th February 2019
  6. Glenn Travers 22nd February 2019
    • Luke Irwin 27th February 2019
  7. Beatrice 25th February 2019
    • Luke Irwin 27th February 2019
  8. Laura 25th February 2019
    • Luke Irwin 27th February 2019
  9. Franco 26th February 2019
    • Luke Irwin 27th February 2019
  10. Marie 26th February 2019
    • Luke Irwin 27th February 2019
  11. Bernadette 14th March 2019
    • Jessica Belton 19th March 2019
  12. Karin Pope 15th March 2019
    • Jessica Belton 19th March 2019
  13. John Robins 2nd April 2019
    • Jessica Belton 4th April 2019
  14. Julie Howes 3rd April 2019
    • Jessica Belton 4th April 2019
  15. Maria Hutton 15th April 2019
    • Jessica Belton 18th April 2019
  16. Mandy White 17th April 2019
    • Jessica Belton 23rd April 2019
  17. Art O Laoghaire 8th May 2019
    • Jessica Belton 17th May 2019
  18. Ruth Whelan 23rd May 2019
    • Jessica Belton 24th July 2019
  19. A. Colao 28th May 2019
  20. D Thompson 4th June 2019
    • Jessica Belton 5th June 2019
  21. carl 5th June 2019
    • Jessica Belton 6th June 2019
  22. Ian 7th July 2019
    • Jessica Belton 12th July 2019
  23. Chris 25th July 2019
    • Jessica Belton 14th August 2019
  24. Sofia 6th August 2019
    • Jessica Belton 14th August 2019
  25. Diarmuid 13th August 2019
    • Jessica Belton 14th August 2019
  26. Gemma 21st August 2019
    • Jessica Belton 2nd September 2019
    • Jessica Belton 24th September 2019
  27. Ann O'Donnell 25th September 2019
    • Jessica Belton 27th September 2019
  28. Fred 27th September 2019
    • Jessica Belton 1st October 2019
  29. Denis 8th October 2019
  30. Jeffrey Clark 11th November 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.