What constitutes personal data for GDPR?

Many people are still unsure what exactly the term ‘personal data’ refers to, even though it forms the core of the EU General Data Protection Regulation (GDPR).

The EU-wide GDPR, which was brought into UK law on 25 May 2018, broadened the definition of what counts as personal data.

When we think of personal data, things like name, address, and phone number might come to mind. There is much more to it than that, according to the GDPR’s definition. Going beyond the details that would normally be considered personally identifiable information, the GDPR states that any information “specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person” are under protection.

Given these broad parameters, it’s safe to assume that anything that identifies a person can fall under the definition of personal data. If you’re not sure that it counts, it probably does! In fact, the GDPR’s definition of personally identifiable information is “any information relating to an identified or identifiable natural person.”

Personal data includes an identifier such as:

  • your name
  • an identification number, such as your National Insurance or passport number
  • your location data, such as your home address or mobile phone GPS data
  • an online identifier, such as your IP or email address.

Personal data is information that relates to an identified or identifiable individual. … Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.

Perhaps the biggest implication of this is that, under certain circumstances, personal data includes online identifiers such as IP addresses and mobile device IDs. Similarly, the GDPR introduces the concept of ‘pseudonymous data’ – personal data that cannot be attributed to the data subject without some additional information.

Securing Personal Data

The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights and sets out some key principles required to secure personal data for GDPR compliance. These are:

  • A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.
  • Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures.
  • You must also consider additional requirements about the security of your processing – and these also apply to data processors.
  • You can consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses.
  • Where appropriate, you should look to use measures such as pseudonymisation and encryption.
  • Your measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them.
  • The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
  • You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures and undertake any required improvements.
Download 2019 GDPR Guide
Scroll to Top