Is there a list of what is personal data under GDPR?
This is a very reasonable question to ask but there is not a simple list and for good reason
GDPR compliance must begin by being crystal clear about what personal data is, particularly since GDPR has broadened the definition from the DPA (Data Protection Act).
The difficulty with lists and GDPR
Under GDPR, personal data is defined as data (both within automated and manual systems which are accessible in accordance with defined criteria) from which you can identify a natural living person, who is known as a data subject. This broad definition makes it quite difficult to produced a definitive list of exactly what will always be personal data is because it includes being able to identify someone:
- Directly from the data in isolation, for example, a person’s name and address or
- Indirectly, when that data is combined with other data that you hold or are likely to hold. So, for example, your electricity consumption reading is not personal data by itself, but combined with other details that your energy supplier has, like who pays the bill, potentially makes it personal data.
So personal data might be
- Obvious – as in the case of a name and address or
- Sometimes not quite so obvious.
Let’s consider the example of email addresses held in isolation:-
- The email address [email protected] clearly identifies someone
- However, the email address [email protected] may identify someone if there is only one person on the accounts team at ABC.com but less likely if the team consist of 250 people.
Looking at Article 4 of the GDPR the following will be personal data:
- A name
- An identification number
- Location data
- Something specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity
- Online identifiers – such as:
IP addresses (internet protocol addresses)
cookie identifiers or
other identifiers such as radio frequency identification tags.
(because when combined with unique identifiers and other information received by the servers could be used to identify individuals)
- Pseudonymised personal data – for example, key-coded personal data, depending on how easy it is to recognise a particular individual from the pseudonym. However, GDPR confirms (Recital 26) that it doesn’t apply to effectively anonymised data.
A good way to help identify personal data is to think about what GDPR is aiming to achieve which is
- “greater transparency, enhanced rights for citizens” and
- “increased accountability”.
GDPR is new and, as with everything else new, it will become clearer in practice; but at the moment you may wish to err on the side of caution and treat any data which you are unsure about as personal data, because this will both fulfil GDPR aims and help build up a relationship of trust between you and individual data subjects. The reason there is no definitive list is because GDPR requires you to think about how data is used rather than blindly following a list which can feel reassuring but be misleading. Much depends on the way the data is processed.
For more information on GDPR and how it affects your business, follow our blogs or email us at [email protected]