What is personal data under GDPR?

What counts as personal data? And how has it changed under the new guidance?

What is personal data under GDPR?

The new General Data Protection Regulation (GDPR) comes in action on May 25th 2018 

In today's digital world, we share personal data in most transactions – from online banking to social media – so GDPR has been introduced to protect this data. Personal data is a very generic term, so what counts as personal data? And how will it change under the new guidance?  

Out with the old.  

Under the current UK Data Protection Act, personal data is defined as: 'any information relating to a living, identified or identifiable natural person.' This is pretty broad and basically includes all data that could identify someone – eg. a person's name, user ID or address – as well as information about someone's medical, mental, social or economic identity.  

In with the new.

One of the main reasons for introducing GDPR is to clearly define what counts as personal data and write it into law. GDPR follows the same general definition of personal data – all name and location data – but includes new types of digital data called online identifiers. This includes IP addresses, cookie strings and mobile device IDs.  

New additions.

GDPR has a sub-category of personal data called 'sensitive data' which adds another layer of protection. Sensitive data includes:  

  • Racial or ethnic origin  
  • Political opinions  
  • Religious or philosophical beliefs 
  • Trade-union membership 
  • Health or sex life 

Under GDPR, sensitive data is highly protected and organisations need permission from the individual to process it. 2 other types of data have been added to this list: genetic data and biometric data. Genetic data covers gene sequences which are used and stored for research purposes. Biometric data includes fingerprints, retinal scans and face recognition which are now commonly used for entry systems and mobile phones.  

Encryption confusion.  

Many organisations already encrypt personal data so that it can't be used to identify a person without being decrypted. You'd think that this data is no longer considered personal, but under GDPR, it is. No matter how securely data is stored, computer systems can be hacked and decrypted, so encrypted data is still considered personal data.

However, GDPR wants to encourage organisations to use pseudonyms, so if data is suitably pseudoymised and the data subject can’t be identified at all, the rules don’t apply. This is a bit confusing but means companies have a bit of wiggle room if they code data appropriately.  

Although personal data has the same definition for everyone under GDPR, organisations have to follow slightly different rules depending on whether they're data controllers or data processors.  

The data controller owns the data and controls how and why any personal data is processed.  

The data processor processes data on behalf of the data controller.  

If they don't comply, companies can face huge fines of up to €20 million or 4% of annual turnover – whichever is greater.   

This is pretty serious stuff, so we've created 2 GDPR checklists – 1 for data controllers and 1 for data processors – to help you get ready for GDPR.  

Get data controller checklist

Get data processor checklist


Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. 


This article includes research and opinion sourced by OneFile at the time of publication. Things may have changed since then,
so this research is to be used at the reader's discretion. OneFile is not liable for any action taken based on this research.