If you had to summarize the EU’s General Data Protection Regulation (GDPR) in the briefest way possible, it might be this: The GDPR regulates the use of personal data. That is certainly the law’s overarching purpose, but for anyone trying to understand the GDPR, this statement begs a follow-up question. What is “personal data”?
The quick answer is that a lot of information is considered personal data under the GDPR. In this article we’ll go over the statutory definition of the term and provide some real-world examples to help understand the scope of what is covered.
Article 4 of the GDPR provides the legal definition of “personal data,” which is:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).
Using this definition, the test for determining whether a specific piece of information is personal data is to ask two questions. First, is there an identified or identifiable person? If so, does the information relate to that person?
Imagine a spreadsheet with information about thousands of individuals, but it only has two pieces of data on each one: an anonymous identifier and gender. It reads, “Person #1 - Female,” Person #2 - Male,” and so on. Taken in isolation, this is not personal data because it is not possible to identify any of the people.
However, this can easily become personal data with the addition of a little more information. For example, if you added another column that showed each person’s email address, they become identifiable. Now the gender identification for each individual is information related to an identifiable person, so it is personal data. In fact, even the (formerly) anonymous identifier becomes personal data as an identification number assigned to each person.
If all of that sounds a bit abstract, delving into a few examples should bring it into focus. Here are some of the most common types of GDPR personal data
Identifiers serve a dual function as they both identify the data subject and are specific pieces of information related to that person. Common identifiers are names, mailing addresses, telephone numbers, email addresses, and usernames.
Though they are a subcategory of identifiers, online identifiers are worth calling out separately because so many organizations overlook them when examining their data practices. The two most common online identifiers are IP addresses and tracking technologies such as cookies and pixels. They are important to remember because most websites automatically collect this data from each of their visitors, and the identifiers are used to connect other kinds of online personal data (e.g., ad clicks, page views, etc.) to a particular data subject.
Any online activity can be considered personal data when related to an identifiable data subject (see “online identifiers” above). This includes browsing history, search history, email opens, ad clicks, shopping-cart data, and online purchases.
Geolocation data, even at a higher level such as city or state, is considered personal data when related to a specific data subject. For example, if a smartphone app connects GPS data to a device identifier, it is personal data.
Any number of personal characteristics such as age, gender, race, ethnicity, religion, and education can be personal data.
If an organization uses personal data to create a profile of a particular data subject (e.g., to predict future shopping behavior), the profile itself is a type of personal personal data.
This is by no means an exhaustive list of the types of personal data under the GDPR. If you’re not sure whether something is personal data, ask yourself, “Is there an identifiable person?” and then, “Does this information relate to them?”
If your organization needs to be GDPR compliant, and realizing how much personal data it processes is making your head spin, just remember that you don’t have to handle compliance alone.
TrueVault Polaris is designed to help businesses become GDPR compliant at a fraction of the cost of hiring lawyers or consultants. Similar to online tax software, Polaris works through an intuitive question-and-answer interface, allowing businesses to get compliant in as little as a few hours. Polaris also includes the necessary tools, from consent management to privacy-request workflows, to help you stay compliant with minimal effort. Contact us today to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.