What is classified as “Personal Data” in the General Data Protection Regulation (GDPR)?

The GDPR defines personal data (aka PII) as “data from which a living individual can be identified or identifiable (by anyone), whether directly or indirectly, by all means reasonably likely to be used.”

This could be directly (e.g. a person’s name) or indirectly (e.g. the owner of that business). The definition of personal data applies to any piece of information which can used to identify an individual, based on ‘all means reasonably likely to be used’.

For example, a user ID number is classed as personal data, because it can be matched to the name of a user on a database. The term ‘personal data’ still applies to data even if it requires the use of information elsewhere to identify an individual.

Personal data includes:

  • Identifiable information such as numbers
  • Factors specific to a person’s physical, physiological, mental, economic, cultural or social identity

However, it goes on to clearly state examples of this personal data, and specifically adds new identifying types of data to its definition. This includes:

  • Names
  • Location Data – Data that has any kind of geographic position attached to it. This is classified as personal because it could be used to identify where an individual lives, works, and sleeps, or to find out social, religious, or cultural identities.
  • Online identifiers – Digital information such as IP addresses, cookie strings or mobile device IDs. For example, as an IP address can be used to find out where an individual is located, it is clearly personal data.

As a subcategory of personal data, sensitive data refers to a more specific type of personal data that should be treated with extra protection. The current definition of this includes information such as:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade-union membership
  • Health or sex life

Under the GDPR, sensitive data is given more enhanced protection, with explicit consent required for its processing. Two new information types are added to this classification too: genetic data and biometric data.

Genetic data specifically refers to gene sequences, which are used for medical and research purposes. Biometric data includes fingerprints, retinal and facial recognition.

If you can identify an individual from any data held, then the data is “Personal Information” and it therefore falls within the scope of the GDPR.