To comply with UK GDPR and EU GDPR it is necessary to understand the definition of personal data under GDPR. This is an area where there is often some confusion. While most of us understand that information like a name, or date of birth could be considered personal. Other information that could be linked to a person is arguably less obvious as to whether it counts as personal information. For example we may wonder whether digital information such as an IP address, or information that is publicly available such as a social media handle, or even an email address could be considered as personal data?
Personal data requires many different protections under GDPR, which can be time consuming and costly to implement. So it’s useful to understand exactly what you need to protect.
To clear things up, we’ve put together this article.
We’ll examine the legal definition within the original legal text of GDPR. Then we’ll look at some advice from the regulators enforcing GDPR across the UK & EU. Throughout we’ll draw in plenty of real life examples, so you can get a much better understanding of what counts as personal data and why.
How personal data is legally defined under GDPR
The UK GDPR and EU GDPR both rely on the same definition of personal data. Overall there is not much difference between the two legal texts so for brevity we’ll refer solely to GDPR.
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
To help understand this, let’s break it down. By the end we’ll uncover that the scope of personal data under GDPR is wide…
Defining personal data
First let’s be clear that personal data only applies to “natural persons”, which means human. So whilst any pets or robot friends might be personal to you, their data is not covered by GDPR.
Now let’s look at what types of data would be included in this definition of GDPR.
Essentially any information that relates to an identified or identifiable personal is considered as personal information.
The GDPR covers this information even if it does not directly identify somebody.
Some data identifies people directly. There is little ambiguity over whether it is covered by the GDPR rules. This data may include for example, a name, date of birth or scan of an ID document such as a Passport. It could also include things like an email address, e.g. “john.smith@website…”.
GDPR outlines some identifiers specifically, but it makes clear that the list is not exhaustive. They include:
- identification number;
- location data; and
- an online identifier.
You have to use your own judgement to determine what data falls under the rules. In general it is safe to assume that any data collected in relation to a person of their digital devices is covered.
Some information is less direct, but still could clearly be used to identify somebody along with other information and is arguably personal. From a mobile phone number for example it is not possible to immediately identify somebody, but it could easily be used in combination with other information to figure out the identity of someone. Therefore it would fall under this description.
Similarly, for example, an IP address that may be collected by web analytics software on your website like Google Analytics, tells us about the device a person is using to connect to a website. On its own, as a website owner we cannot figure out who the person is. We cannot name the individual just from the IP address. But other people could, it is well within technical means. They may require the customer records of an internet service provider to to this, or access to a government database. For this reason, even this data is considered as personal data and therefore must be protected under GDPR.
The important thing to note here is that just because you do not have the personal means to link a single piece of information to a person, it does not mean that you cannot consider it as non-personal information. Many pieces of information could in theory be used in conjunction with other information to identify someone and so can be considered as personal information under GDPR.
There is still some ambiguity here in GDPR, which may allow you to collect elements of information without having to deal with the legal obligations provided by GDPR. For example if you collected limited information about a group of people and collated this information in a way that the individuals could not be recognised then you may be able to argue that this information is no longer considered as personal data under GDPR. Even if there is a hypothetical but slim chance that somebody could combine your data with other sources to identify the individuals concerned.
In this case you are obliged under GDPR to consider the impact of technical advances that could increase the possibility that this information was used to identify the individuals.
This is yet to be fully tested in court, so in general you are best to assume that any data you have collected from people, about people or from their devices is considered as personal data.
Otherwise you may wish to consider a thorough anonymisation process for the data, if you wish to use it without GDPR constraints.
Remember that even when data is considered as personal information under GDPR it does not necessarily mean that you cannot fulfill your intended task under GDPR. The legal bases for processing under GDPR are purposely broad, they must however be applied correctly in order to be compliant. In some cases this may require you to record documentation or your justification for using data for certain purposes.
Examples of personal data under GDPR
To wrap up, let’s point out some examples of personal data under GDPR to help get you thinking about everything you may need apply GDPR to:
Personal data examples under GDPR
- Date of birth
- Email address
- Home address
- Country of origin
- Country of residence
- City of residence
- Languages spoken
- Education history
- Career history
- Career preferences
- Work address
- Social media profile URLs
- Email communications metadata and content
- Payment details: card, card number, card type
- Login history, time/date/location
- Location history and metadata
- IP address
- Device type
- ID card number
You can use this as a base to start thinking about the data you process and whether it counts as personal data under GDPR. If you are just starting your GDPR data compliance journey a great exercise to get started is to simply make a list of every type of data that you collect:
Name, emails, dob, photo, social media handle, pizza preferences..
One more question that we’re often asked by our clients:
Is personal data processed in a commercial context (b2b) considered personal data under GDPR?
Yes. Even if the data is processed for business purposes, for example you collect and store the name of the head of procurement from one of your suppliers. This will be considered as personal data and must be afforded some protections under GDPR.
This may also extend to cover the name of the business if the business owner was a sole trader for example trading under their name. And the address of the business under the same circumstances.
Thanks for reading, if you found this helpful you might want to check out some of the other articles available on our website. You can also consider signing up to our newsletter below, so we can help keep you up to date when the law changes.