What is the GDPR Personal Data Definition?

Explore the GDPR personal data definition. What is it? What categories are there? Learn the vital aspects of personal data.

< Return to GDPR Basics

What Is GDPR Personal Data?

a person representing GDPR Personal Data

Under the GDPR, personal data is any information connected to a living individual who can be identified—either directly or indirectly—using identifiers such as names, ID numbers, online identifiers, or attributes related to their physical, cultural, or social identity.

Simply put, if you can determine who someone is based on the information you have, it qualifies as personal data.

Applicability of GDPR Personal Data

The GDPR governs the following types of data processing:

  1. Data processed by automated means – For example, electronically stored and managed information.
  2. Data forming part of a filing system – This includes manually handled data that is structured to allow easy retrieval.

While determining whether you handle personal data is straightforward in most cases, certain instances may require careful analysis to confirm whether the GDPR applies.

Special Category Data

Some types of data are deemed more sensitive and warrant stricter protection. These are referred to as special category data and include details about an individual’s:

  • Race or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic information
  • Biometric data (when used for identification)
  • Health
  • Sexual orientation or sex life

Additionally, information concerning criminal convictions and offences is subject to similar stringent safeguards.

Handling Unstructured Paper Records

The UK GDPR primarily addresses data that is electronically stored or systematically organised. However, the Data Protection Act 2018 (DPA 2018) extends personal data protections to unstructured manual records held by public authorities.

This ensures such records are appropriately safeguarded for requests under the Freedom of Information Act 2000. Although these records are exempt from most GDPR principles, they still require attention to ensure their confidentiality and integrity.

Distinguishing Between Pseudonymisation and Anonymisation

Pseudonymisation

Pseudonymisation involves replacing identifying elements within data with coded references, ensuring individuals are not immediately recognisable. For instance, names might be substituted with reference numbers, and the key to decode these references is stored separately. While this reduces risks and aids compliance, pseudonymised data is still classified as personal data since it remains possible to re-identify individuals with additional information.

Example: A courier company anonymises driver data for fleet efficiency analysis. Although the data is pseudonymised, the company retains the ability to re-identify drivers using additional records, keeping the data under GDPR regulation.

Anonymisation

By contrast, anonymisation ensures individuals cannot be identified under any circumstances, rendering the data outside the scope of the UK GDPR. Achieving true anonymisation can be challenging, as any reasonable possibility of re-identification invalidates the process. It’s essential to ensure anonymisation is robust, as improperly anonymised data remains subject to GDPR rules.

Note: The act of anonymising data itself constitutes data processing under GDPR.

Data Concerning Deceased Individuals

GDPR applies only to living individuals. Information related to deceased persons falls outside its scope, though other laws may regulate such data.

Information About Legal Entities

GDPR does not consider data about legally recognised entities, such as limited companies, to be personal data. However, information about individuals within these organisations—such as sole traders, directors, or employees—can qualify as personal data if it identifies them as individuals.

For example, a person’s name and corporate email address would fall under GDPR if linked to their identity.

Key Takeaways

To determine whether the EU/UK GDPR applies to your data:

  • Can an individual be identified from the data, alone or combined with other details?
  • Does the information relate to their private or professional identity?
  • Could the data be re-identified despite anonymisation efforts?

FAQs

Answering these questions ensures you categorise your data correctly and apply the appropriate level of protection. By understanding and adhering to UK GDPR principles, you can safeguard individuals’ privacy while maintaining compliance with data protection laws.

What are some common examples of personal data under GDPR?

Common examples include names, email addresses (even work ones), phone numbers, IP addresses, location data, National Insurance numbers, and any identifier that links to a person’s identity. Less obvious examples might include voice recordings, photos, or behavioural profiles—anything that could reasonably be used to identify someone.

Is work-related information always classed as personal data?

Not always—but it often is. A business name or generic email like info@company.com is not personal data. However, j.smith@company.com would likely be personal data if it can identify the individual, even in a professional context. If the data relates to a sole trader or a named employee, GDPR usually applies.

How can I tell if data is truly anonymised or just pseudonymised?

If the data can be linked back to an individual using any reasonably available means—even if it requires extra steps or separate records—it’s pseudonymised and still falls under GDPR. True anonymisation means the individual cannot be identified by any means, making GDPR no longer applicable. If in doubt, treat the data as personal.

Does GDPR apply to handwritten notes or paper records?

Only if those notes form part of a structured filing system or, for public authorities, are unstructured but accessible (e.g. for Freedom of Information requests). Casual notes or personal reminders usually fall outside the GDPR scope, but caution is advised—especially in regulated environments or public bodies.

Is information about a deceased person or company protected by GDPR?

No. GDPR only applies to living individuals. Data about deceased persons is not protected under GDPR, though it may be covered by other legislation (e.g. confidentiality or medical record laws). Similarly, company data is not personal—unless it includes information that identifies specific individuals within that company.

See also – The GDPR Personal Data summary from the ICO

Previous post

GDPR Rights for Individuals

NEXT post

GDPR Controllers and Processors

Photo of author

Written by

Alan Parker

Alan Parker is an experienced IT governance consultant who’s spent over 30 years helping SMEs and IT teams simplify complex IT challenges. With an Honours Degree in Information Systems, ITIL v3 Expert certification, ITIL v4 Bridge, and PRINCE2 Practitioner accreditation, Alan’s expertise covers project management, ISO 27001 compliance, and service management best practices. Recently named IT Project Expert of the Year (2024, UK).

Leave a Comment

Iseo Blue Limited - UK Registered Company Number : 10215427 

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG