News
Print Article

The GDPR: What exactly is personal data?

06/01/2020

Personal data is at the heart of the GDPR (General Data Protection Regulation), but many people are still unsure exactly what ‘personal data’ refers; to compound this issue, there’s no definitive list of what is or isn’t personal data, so it all comes down to correctly interpreting the GDPR’s definition:

  • ‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’).

In other words, any information that is clearly about a particular person. But how broadly does this apply?

The GDPR clarifies:

  • [A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as
    • a name,
    • an identification number,
    • location data,
    • an online identifier or to one or more factors specific to the
      • physical,
      • physiological,
      • genetic,
      • mental,
      • economic,
      • cultural or
      • social identity
    • of that natural person.

For example, and In certain circumstances, the following could be considered someones personal data.

  • An IP address,
  • hair colour,
  • job or
  • political opinions

The qualifier ‘certain circumstances’ is worth highlighting, because whether the information is considered, personal data often comes down to the context in which data is collected.

CONTEXT IS EVERYTHING

Organisations usually collect many different types of information on people, and even if one piece of data doesn’t individuate someone, it could become relevant alongside other data.

For example,

  • an organisation that collects information on people who download products from their website might ask them to state their occupation.

EXAMPLE Analysis

  • In itself, the above example doesn’t fall under the GDPR’s scope of personal data, because, in all likelihood, a job title isn’t unique to one person.
  • Similarly, an organisation might ask what company they work for, which, again, couldn’t be used to identify someone unless they were the only employee.
  • However, in many instances, these pieces of information could be used together to narrow down the number of people to such an extent that you could reasonably establish someone’s identity. In other words, if you refer to someone with a specific job title at a specific organisation, there may only be one person who fits that description.

EXAMPLE NO GDPR

  • where you know that someone is an ADMINISTRATOR at ACME TRUSTEES this doesn’t narrow things down much, and these two pieces of information together wouldn’t be considered personal data (for GDPR purposes).

EXAMPLE GDPR TRIGGER

  • it’s highly unlikely that this information would be stored without a specific identifier, and this is where GDPR kicks in. for example an identifier could be
  • the person’s name or
  • payroll number.

NAMES AREN’T ALWAYS CONSIDERED PERSONAL DATA

You might think that someone’s name is as clear an example of personal data as it gets; it is literally what defines you as you. But it’s not always that simple, as the UK’s Information Commissioner’s Office explains:

  • “By itself the name John Smith may not always be personal data because there are many individuals with that name.
  • “However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”

However, the ICO also notes that names aren’t necessarily required to identify someone:

  • “Simply because you do not know the name of an individual does not mean you cannot identify [them].
  • Many of us do not know the names of all our neighbours, but we are still able to identify them.”

A GUIDE TO WHAT IS (OR COULD BE) PERSONAL DATA

As shown above, it can be hard to say whether certain information meets the GDPR’s definition of personal data. However, the following list  provides a list of things that could be considered personal data, either on their own or in combination with other data:

  1. Biographical information or current living situation, including
    1. dates of birth,
    2. Social Security numbers,
    3. phone numbers and
    4. email addresses.
  2. Looks, appearance and behaviour, including
    1. eye colour,
    2. weight and
    3. character traits.
  3. Workplace data and information, including
    1. education,
    2. salary,
    3. tax information and
    4. student numbers.
  4. Private and subjective data, including
    1. religion,
    2. political opinions and
    3. geo-tracking data.
  5. Health, sickness and genetics, including
    1. medical history,
    2. genetic data and
    3. information about sick leave.
General

The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more

Gallery

View our latest imagery from our news and work

Find out more

Contact

Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.