The GDPR: What exactly is personal data?
Personal data is at the heart of the GDPR (General Data Protection Regulation), but many people are still unsure exactly what ‘personal data’ refers; to compound this issue, there’s no definitive list of what is or isn’t personal data, so it all comes down to correctly interpreting the GDPR’s definition:
- ‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’).
In other words, any information that is clearly about a particular person. But how broadly does this apply?
The GDPR clarifies:
- [A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as
- a name,
- an identification number,
- location data,
- an online identifier or to one or more factors specific to the
- cultural or
- social identity
- of that natural person.
For example, and In certain circumstances, the following could be considered someones personal data.
- An IP address,
- hair colour,
- job or
- political opinions
The qualifier ‘certain circumstances’ is worth highlighting, because whether the information is considered, personal data often comes down to the context in which data is collected.
CONTEXT IS EVERYTHING
Organisations usually collect many different types of information on people, and even if one piece of data doesn’t individuate someone, it could become relevant alongside other data.
- an organisation that collects information on people who download products from their website might ask them to state their occupation.
- In itself, the above example doesn’t fall under the GDPR’s scope of personal data, because, in all likelihood, a job title isn’t unique to one person.
- Similarly, an organisation might ask what company they work for, which, again, couldn’t be used to identify someone unless they were the only employee.
- However, in many instances, these pieces of information could be used together to narrow down the number of people to such an extent that you could reasonably establish someone’s identity. In other words, if you refer to someone with a specific job title at a specific organisation, there may only be one person who fits that description.
EXAMPLE NO GDPR
- where you know that someone is an ADMINISTRATOR at ACME TRUSTEES this doesn’t narrow things down much, and these two pieces of information together wouldn’t be considered personal data (for GDPR purposes).
EXAMPLE GDPR TRIGGER
- it’s highly unlikely that this information would be stored without a specific identifier, and this is where GDPR kicks in. for example an identifier could be
- the person’s name or
- payroll number.
NAMES AREN’T ALWAYS CONSIDERED PERSONAL DATA
You might think that someone’s name is as clear an example of personal data as it gets; it is literally what defines you as you. But it’s not always that simple, as the UK’s Information Commissioner’s Office explains:
- “By itself the name John Smith may not always be personal data because there are many individuals with that name.
- “However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”
However, the ICO also notes that names aren’t necessarily required to identify someone:
- “Simply because you do not know the name of an individual does not mean you cannot identify [them].
- Many of us do not know the names of all our neighbours, but we are still able to identify them.”
A GUIDE TO WHAT IS (OR COULD BE) PERSONAL DATA
As shown above, it can be hard to say whether certain information meets the GDPR’s definition of personal data. However, the following list provides a list of things that could be considered personal data, either on their own or in combination with other data:
- Biographical information or current living situation, including
- dates of birth,
- Social Security numbers,
- phone numbers and
- email addresses.
- Looks, appearance and behaviour, including
- eye colour,
- weight and
- character traits.
- Workplace data and information, including
- tax information and
- student numbers.
- Private and subjective data, including
- political opinions and
- geo-tracking data.
- Health, sickness and genetics, including
- medical history,
- genetic data and
- information about sick leave.