iDEA Inspiring Digital Enterprise Awards

What constitutes personal data?

GDPR protects the personal data of EU residents. Personal data is data that can be used to identify living individuals.

  • Basic identity information such as name, email, address, and ID numbers.
  • Web data such as location, IP address, cookies data, and RFID (radio-frequency identification) tags
  • Health, genetic, and biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation
  • The commission or alleged commission of offences

There are a few steps to go through to determine whether the data your company holds (digitally or in hard copy format) is personal data.

Look at the following questions and identify whether the data described constitutes personal data.

Whoops - you got two wrong, you'll have to start again...

A living individual can be identified from the data, or, from the data and other information in your possession, or likely to come into your possession.

Is this personal data?

This is considered personal data.

An individual is 'identified' if you have distinguished that individual from other members of a group. In most cases an individual’s name together with some other information will be sufficient to identify them. Simply because you do not know the name of an individual does not mean you cannot identify that individual. The starting point might be to look at what means are available to identify an individual and the extent to which such means are readily available to you.

Hmmm. That's not right. This is considered personal data. If you get one more wrong, you’ll have to start again. If you need a recap, scroll to the top of the page to read again about different types of roles involved around GDPR.

The data ‘relates to’ an identifiable living individual, whether in personal or family life, business or profession. This data identifies an individual, even without a name associated with it, or is processed to learn or record something about that individual, or the processing of that information has an impact upon that individual.

Is this personal data?

This is considered personal data.

Hmmm. That's not right. This is considered personal data. If you get one more wrong, you’ll have to start again. If you need a recap, scroll to the top of the page to read again about different types of roles involved around GDPR.

The data is ‘obviously about’ a particular individual. Data ‘obviously about’ an individual will include their medical history, criminal record, record of their work or their achievements in a sporting activity. Data that is not ‘obviously about’ a particular individual may include information about their activities.

Is this personal data?

This is considered personal data.

Hmmm. That's not right. This is considered personal data. If you get one more wrong, you’ll have to start again. If you need a recap, scroll to the top of the page to read again about different types of roles involved around GDPR.

The data is ‘linked to’ an individual so that it provides particular information about that individual.

Is this personal data?

This is considered personal data.

Hmmm. That's not right. This is considered personal data. If you get one more wrong, you’ll have to start again. If you need a recap, scroll to the top of the page to read again about different types of roles involved around GDPR.

The data is used, or is to be used, to inform or influence actions or decisions affecting an identifiable individual.

Is this personal data?

This is considered personal data.

Hmmm. That's not right. This is considered personal data. If you get one more wrong, you’ll have to start again. If you need a recap, scroll to the top of the page to read again about different types of roles involved around GDPR.

The data has biographical significance in relation to the individual. When considering ‘biographical significance’, what is important is whether the data goes beyond recording the individual’s casual connection with a matter or event which has no personal connotations for him.

Is this personal data?

This is considered personal data.

Hmmm. That's not right. This is considered personal data. If you get one more wrong, you’ll have to start again. If you need a recap, scroll to the top of the page to read again about different types of roles involved around GDPR.

The data focuses or concentrates on the individual as its central theme rather than on some other person, or some object, transaction or event. For Example: information as to the number of products produced by a machine in a week could be used, either to access the efficiency of the machine, or it could be used to access the productivity of the individual operating the machine.

Is this personal data?

This is considered personal data.

Hmmm. That's not right. This is considered personal data. If you get one more wrong, you’ll have to start again. If you need a recap, scroll to the top of the page to read again about different types of roles involved around GDPR.

The data impacts or has the potential to impact on an individual, whether in a personal, family, business or professional capacity.

This is considered personal data.

Hmmm. That's not right. This is considered personal data. If you get one more wrong, you’ll have to start again. If you need a recap, scroll to the top of the page to read again about different types of roles involved around GDPR.

Well done.

From this you can see that any data that can be used, in any way, to identify an individual is considered personal data.

Even if the data is not usually processed to provide information about an individual, if there is a reasonable chance that the data will be processed for that purpose, the data will be considered personal data.

Next Step