Personal data is information that relates to an identified or identifiable person who could be identified, directly or indirectly based on the information.
The EU-wide rules in the Data Protection Act 2018 (GDPR) provides the legal definition of what counts as personal data in the UK.
GDPR applies to the processing of personal data that is:
Wholly or partly by automated means; or the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
- Personal data only includes information relating to natural persons who:
- Can be identified or who are identifiable, directly from the information in question; or
- Who can be indirectly identified from that information in combination with other information.
- Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
- Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
- If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised.
- Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR.
- Information about companies or public authorities is not personal data.
- However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.