Knowledge Hub
for Growth

What is personal data under GDPR?

Simply put, personal data is information that relates to an individual. In an age where personal data has become a valuable commodity, and the data security of individuals is under constant threat from cyber attackers and others, tighter regulation of organisations that process personal data has become essential.

In the UK organisations are subject to the General Data Protection Regulation (GDPR). This legislation gives our regulator – the Information Commissioner’s Office (ICO) – extensive powers to investigate and sanction companies that do not comply with the laws on data protection. ICO fines can be significant and GDPR breaches can cause irreparable reputational damage to an organisation. As a result it has become necessary for all businesses that process personal data to implement GDPR compliant procedures and ensure that staff receive adequate training on data protection principles.

In this article we introduce some of the key issues around personal data and GDPR. If you would like additional support in managing your data privacy obligations, our knowledgeable team of data protection solicitors are ready to provide support tailored to your business goals.

What is personal data?

Remember that GDPR only applies to personal data – not all the information you hold will be caught by the rules. But information that directly identifies an individual (a person’s name for example) or is capable of indirectly identifying them when taken alongside other information about them (like a National Insurance number) is personal data that you must process in a secure, GDPR compliant manner. In practice this means only processing the data if you have a lawful basis for doing so such as obtaining the consent of the individual and you comply with rules about storage of data and data retention. We have a handy guide on how to write a data retention policy if you would like more information on this subject.

What is not considered personal data?

This is essentially any data that cannot be used on its own to identify a living individual.

Businesses and public authorities are entities so don’t apply to individuals unless of course the name of the entity can identify a living individual, such as, if of course, Louis Vuitton was a living identifiable person.

Who’s involved in managing personal data?

There are two key people involved in the collection and processing of data:

  1. Data Controller: This is the person who has ultimate control of the data and how it is processed.
  2. Data Processer: The person who processes the data on behalf of the data controller.

It’s possible for there to be more than one person in each role, and it’s also possible for one person to have both roles. Many organisations will appoint a data protection officer specifically to help with data protection law compliance.

Who is the data subject?

The person to whom, personal data relates, is called a data subject. A data subject must be a living individual that is identifiable from, the personal data.

What are personal data identifiers?

We’ve seen that personal data must identify an individual, directly, or indirectly. This means distinguishing the individual from others. Ways an individual can be directly identified (‘identifiers’) include:

  • Name
  • ID number
  • An individual’s location
  • Online identifiers such as IP and MAC addresses and device fingerprints

It’s also possible that someone could be indirectly identified from the information you hold, for example through a car registration number, a national insurance number or passport number. Consider whether, through a combination of the information you hold and other information held by a third party an individual could be distinguished from others.

A person’s name is the most common identifier but an additional identifier such as an address will be necessary to distinguish that individual from someone with the same name.

If you are holding data that identifies an individual you should:

  1. Keep the information secure
  2. Protect it from inappropriate disclosure
  3. Be open about how you are collecting the information
  4. Ensure that you are justified in any processing

What are related factors?

Identifying an individual from the data you hold is key to establishing whether or not the data is personal (and subject to GDPR). But that’s not the whole picture. For data to be caught by GDPR it must also relate to an individual. Is the information about the individual or in some way linked to them?

To establish whether information is related to an individual you need to examine the content of the data, consider the purposes for which you are processing it, and assess the likely impact this will have on the individual.

Examples of related factors that are about an individual or their activities include:

  • Medical history
  • Criminal record
  • HR records
  • Bank statements
  • Phone bills

What is special category personal data?

Not all personal data requires the same level of protection. GDPR recognises that certain data is so sensitive that if it were to be the subject of a breach or cyber-attack the impact on the individual data subject would be significant. GDPR refers to this type of data as ‘special category data’.

It includes data relating to:

  • Race
  • Ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (where this is used for identification purposes)
  • Health data
  • Sex life
  • Sexual orientation

If your business is processing special category data you are required to satisfy a series of additional conditions set out in GDPR. And because processing such data may carry a high degree of risk you will usually need to complete a data protection impact assessment (DPIA).

Is anonymised data still protected under GDPR?

If we bear in mind that the whole purpose of data protection law is to protect individuals from harm, it follows that the GDPR rules have no application to anonymised data. Data that has been anonymised correctly (so that it meets GDPR requirements) doesn’t relate to an identified or identifiable individual. Our training and advice sessions and the data protection audits we offer encourage organisations to anonymise data where possible because in doing so you limit your exposure to data breaches and regulatory intervention.

Is information about companies included as personal data?

No. GDPR applies only to data that relates to a natural as opposed to a legal person. It’s not concerned with data relating to companies, public authorities or other legal entities. GDPR however does apply to officers of a company, including directors and secretaries as well as to company employees.

It’s also worth noting that GDPR does not apply to data relating to deceased individuals.

What factors do you need to consider when processing personal data?

We’ve already touched on some of the factors to consider when processing personal data. Does it relate to an individual? Is the data particularly sensitive? Should you anonymise the data? Elsewhere on the website we answer many of the common questions about data processing.

You should also bear in mind the seven principles of GDPR that underpin the entire data protection regime. They require data to be:

  • Processed lawfully
  • Collected for a legitimate purpose
  • Processed in a way that is limited to what is necessary
  • Maintained accurately and kept up to date
  • Kept in a way that identifies individuals only for as long as necessary
  • Processed securely

Controllers and processors must also be able to demonstrate GDPR compliance – the accountability principle.

In addition to complying with these principles, data processors must be able to justify their processing – that is to say they must have a lawful basis for doing so. Grounds for processing include the fact that you have the individual’s consent, you are processing the data in performance of a public task or you have a legal obligation to process the data. Processors must also always bear in mind the rights of individuals and the importance of security when processing personal data.

Consider implementing an information security policy to help your employees understand potential risks and their obligations in various scenarios.

About our expert

Becky White

Becky White

Senior Data Protection & Privacy Solicitor
Becky is an experienced data protection and privacy lawyer who qualified in 2002. She supports clients with navigating data protection compliance and provides practical commercial advice related to privacy laws.  

What next?

If you need advice on how GDPR affects your business, our specialist team of data protection solicitors can help. Call us on 0800 689 1700, email us at, or fill out the short form below with your enquiry.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry