What is personal data under GDPR?

personal data under GDPR

How your business manages personal data is at the heart of data privacy laws like GDPR. While many have taken steps to become compliant, the increasingly strict regulations saw GDPR fines rise by 40% last year.

Understanding what personal data is under GDPR is the first step in creating a compliant data management strategy that builds stronger customer relationships from the first click.

What is personal data under GDPR?

‘Personal data’ means any information relating to an identified or identifiable natural person.  An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Usually, when people think of personal data, they think of a name, email address, phone number, passport number and other examples in the definition above. But the definition of personal data in GDPR is much broader. Personal data is not limited to information capable of identifying a person. Once a person is identifiable, any information related to them is also personal data. For example, suppose a customer fills in a survey or gives feedback on your product. In that case, the contents of their response are all personal data as they are that person’s personal opinion about your product or service.

Is anonymous data subject to GDPR?

Anonymous data is not personal data under GDPR, so it is not subject to the GDPR. However, for data to be anonymous, it must be impossible to re-identify the person the data is about. 

It is not enough to mask or pseudonymise personal data for it to be considered anonymous. 

Difference between anonymisation and pseudonymisation

Pseudonymisation is the processing of personal data so that it is no longer possible to link data relating to the person without additional information. In practice, pseudonymisation means replacing a data set’s directly identifying data (e.g. last name, first name, etc.) with indirectly identifying data (e.g. alias, sequential number, etc.).

Anonymisation is the processing of personal data so that it is impossible to identify the person by any means whatsoever. Therefore the anonymisation must be irreversible. In practice, this usually involves the secure deletion of the original data.

What is sensitive personal data?

Sensitive data (or “Special categories” of personal data as it’s called in GDPR) is information that requires additional protection as the processing or mishandling of this data could result in a greater risk to the rights and freedoms of individuals. 

Sensitive personal data is data revealing 

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • processing of genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health 
  • data concerning a natural person’s sex life or sexual orientation