GDPR personal data – what information does this cover?

What is meant by GDPR personal data and how it relates to businesses and individuals.

Personal Data

Under GDPR, personal data means any information that could feasibly be used to identify a person.

GDPR personal data is a broad category

Personal data covers a much broader definition than the previous legislation demanded. While it includes the obvious personal information such as This includes credit card number, email address, name and date of birth, it also covers political opinions, race, gender and much more.

Today, social media and smartphones are everywhere. This changes the kind of personal information that’s shared by users. It includes biometric data, such as retina scans and fingerprint identification. It also covers location data from Google Maps, IP addresses and absolutely everything people share online.

Personal data is sometimes referred to as personally identifiable information (PII) and is evolving as fast as technology is changing. Pseudonymous data must come under personal data for companies auditing their websites and information. This refers to data that can’t be used on its own to identify a person, but in conjunction with other pieces of personal data it can be used to do so.

Legally defined personal data

Which pieces of personal data are legally defined as PII does depend on the country of origin. PII can vary from region to region but the GDPR refers to data relating to a person that can be identified from it, either directly or indirectly.

This covers a wide range of identifiers that includes but is not restricted to:

  • Name
  • Date of birth
  • Nationality
  • Race
  • Identification number
  • Location data
  • Other online identifier
  • Automated personal data online
  • Data held in manual filing systems, such as chronologically ordered personal files
  • Pseudonymised (key-coded)

Personal data at a glance

GDPR refers to processing personal data that:

  • Includes information relating to people who can be identified or are in some way identifiable directly from that data.
  • Information relating to people who can be indirectly identified from that data or from other information along with it.
  • Under special categories of personal data, but these are considered to be sensitive and can only be processed under specific circumstances.
  • Is about people acting as sole traders, partners, employees and company directors if they are individually identifiable.

Personal data relating to GDPR does not cover:

  • Information about someone who is dead.
  • Properly anonymised data.
  • Information about public authorities and companies.

What are GDPR identifiers?

A person can be identified if they are distinguishable from another individual.

The most common identifier is a name. But any possibly identifier can feasibly identify a person depending on context. Sometimes a number of identifiers together can identify a person.

GDPR comes with a non-exhaustive list of identifiers, including online identifiers as outlined above.

Identifier checklist for companies:

  • Can you identify an individual person just by looking at the data you are processing?
  • You don’t need to have a name to identify a person. It could be a combination of other pieces of data that act as the identifier.
  • These other pieces of information could be something you already hold, or information from a separate source.
  • You need to assess how the data you are processing could feasibly be used by another to identify a person.
  • Sometimes, there is a very slight chance that it would be possible to put the data together to identify an individual. However, if this is more hypothetical than feasible, this isn’t enough to be formally identifiable under GDPR.
  • The onus is on the company processing the data to work out whether there is a future likelihood that the data could be used to identify someone.
  • Information must relate to the person to be considered personal data, which means it’s not just about identifying who they are. It must concern them in some way. To decide this think about:
    • The data content and whether it’s about the person or what they do.
    • The reason you are processing the data.
    • The possible effects on the person from the data processing.

Special categories of personal data

For more information refer to our dedicated page on special categories of personal data