What is Considered Personal Data Under the GDPR?
9 Nov 2021
Share this post
GDPR is the farthest-reaching data protection legislation in the world. It governs the collection, storage, and destruction of personal data for all citizens of the EU. Nor are organizations located geographically outside the EU exempt. This overarching regulation covers any personal data from EU citizens.
There’s just one area of confusion: what exactly is personal data? And what’s covered under GDPR?
After all, failure to obtain explicit consent for personal data collection will render you GDPR non-compliant. That can lead to fines in the tens of millions.
Here we will cover the exact definition of personal data under the GDPR. We’ll provide some examples and discuss the implication of this definition.
What even is personal data?
According to the GDPR, personal data is defined as:
“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).
If that sounds vague, it’s because it is.
The GDPR does not specify precisely what is considered personal data. There is no final list. It’s purely speculative, based on the interpretation of the GDPR.
The regulation does further clarify that it is only applicable when an individual can be identified, directly or indirectly, “by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”
Essentially, everything about them. Presumably, the legislation was written intentionally vague to include the full gamut of personal data that could be collected. But it does make GDPR non-compliance highly possible.
Examples of personal data under the GDPR
Understanding when and where something is considered personal data is tricky. To help, here are five potential scenarios. Can you guess what is deemed to be personal data for each one?
1. You own a dog saloon and want to expand online. You create a website that collects information about internet protocol addresses and cookie identifiers. You also keep a forum where people talk about all-things dogs – their account is linked to the dog breed they own.
Answer: Here, the cookies are definitely personal data. In contrast, the dog breed may not be, as it cannot be used to identify the person-in-question.
2. You run a forum website where people anonymously debate about their local politics. No information is provided about a person’s locality, their name, age, or profession. Only their political opinions are listed.
Answer: Even though the political opinions are given anonymously, they are still considered as personal data. Thus, they are subject to the GDPR.
3. You work for an online survey company. As part of your survey, you collect anonymous information about people’s buying choices. The buying choices are kept in a database and used to assess public trends.
Answer: As the purchasing information is already anonymized, then the GDPR is not relevant here. Consent will still need to be collected initially. But subsequently, no further GDPR-compliance is necessary, provided no further information is collected.
4. You create an app that lets users chat with people in their immediate vicinity. The app collects location data and stores the conversation even after a person has deleted the app.
Answer: The location data, conversation content, and any further information related to their account are all covered under GDPR. That means consent and compliance are essential. However, the GDPR also specifies that personal data should only be kept for as long as necessary. Therefore, you may be GDPR non-compliant if you keep the data long after someone has deleted the app.
5. You create a website that allows people to morph photos of their faces. The website lets you upload the photo and then download the final image. However, if the user clicks off the page, the website does not remember previous images uploaded.
Answer: Under normal circumstances, a photo is considered personal data. On this occasion, however, as the photo is automatically deleted, then the site owner is not regulated by the GDPR. The GDPR would cover only information such as cookies collected.
How organizations can handle personal data
Following GDPR, it is critical for organizations to handle personal data diligently and with care. Breaches of GDPR can result in large fines or even legal action.
There are two ways to prevent this:
Anonymization is broadly understood by everyone. Here, any personal data is removed or encrypted to prevent the easy identification of the persons involved. Encryption is particularly useful, as it allows personal data to be replaced with other data.
That allows for personal data to be readily transferred or used without significant worry about the impact of a data breach.
Pseudonymisation functions similarly. It allows personal data to be replaced with ‘artificial identifiers.’ That enables companies to analyze the collected data without risking a data breach and stays within the parameters of the user consent.
Here are some examples of pseudonymisation:
- A username on an online forum (instead of their legal name)
- A company analyzing user purchases randomly generates pseudonyms and fake address data
- In a clinical trial, a subject is given a “study number” in place of their name
That’s our complete breakdown of what is considered personal data under the GDPR. If you run an online business or routinely collect personal data, you will likely be affected by the GDPR. Therefore, it’s important to be aware of the pertinent legislation and how you can stay compliant.
If you believe you are affected by GDPR, we wholly recommend reading the 88-page regulation itself.