If you had to summarize the EU’s General Data Protection Regulation (GDPR) in the briefest way possible, it might be this: The GDPR regulates the use of personal data. That is certainly the law’s overarching purpose, but for anyone trying to understand the GDPR, this statement begs a follow-up question. What is “personal data”?
The quick answer is that a lot of information is considered personal data under the GDPR. In this article we’ll go over the statutory definition of the term and provide some real-world examples to help understand the scope of what is covered.
Article 4 of the GDPR provides the legal definition of “personal data,” which is:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).
Using this definition, the test for determining whether a specific piece of information is personal data is to ask two questions. First, is there an identified or identifiable person? If so, does the information relate to that person?
Imagine a spreadsheet with information about thousands of individuals, but it only has two pieces of data on each one: an anonymous identifier and gender. It reads, “Person #1 - Female,” Person #2 - Male,” and so on. Taken in isolation, this is not personal data because it is not possible to identify any of the people.
However, this can easily become personal data with the addition of a little more information. For example, if you added another column that showed each person’s email address, they become identifiable. Now the gender identification for each individual is information related to an identifiable person, so it is personal data. In fact, even the (formerly) anonymous identifier becomes personal data as an identification number assigned to each person.
If all of that sounds a bit abstract, delving into a few examples should bring it into focus. Here are some of the most common types of GDPR personal data
Identifiers serve a dual function as they both identify the data subject and are specific pieces of information related to that person. Common identifiers are names, mailing addresses, telephone numbers, email addresses, and usernames.
Though they are a subcategory of identifiers, online identifiers are worth calling out separately because so many organizations overlook them when examining their data practices. The two most common online identifiers are IP addresses and tracking technologies such as cookies and pixels. They are important to remember because most websites automatically collect this data from each of their visitors, and the identifiers are used to connect other kinds of online personal data (e.g., ad clicks, page views, etc.) to a particular data subject.
Any online activity can be considered personal data when related to an identifiable data subject (see “online identifiers” above). This includes browsing history, search history, email opens, ad clicks, shopping-cart data, and online purchases.
Geolocation data, even at a higher level such as city or state, is considered personal data when related to a specific data subject. For example, if a smartphone app connects GPS data to a device identifier, it is personal data.
Any number of personal characteristics such as age, gender, race, ethnicity, religion, and education can be personal data.
If an organization uses personal data to create a profile of a particular data subject (e.g., to predict future shopping behavior), the profile itself is a type of personal personal data.
This is by no means an exhaustive list of the types of personal data under the GDPR. If you’re not sure whether something is personal data, ask yourself, “Is there an identifiable person?” and then, “Does this information relate to them?”
If your organization needs to be GDPR compliant, and realizing how much personal data it processes is making your head spin, just remember that you don’t have to handle compliance alone.
TrueVault Polaris is designed to help businesses become GDPR compliant at a fraction of the cost of hiring lawyers or consultants. Similar to online tax software, Polaris works through an intuitive question-and-answer interface, allowing businesses to get compliant in as little as a few hours. Polaris also includes the necessary tools, from consent management to privacy-request workflows, to help you stay compliant with minimal effort. Contact us today to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo201 Mission Street, 12th Floor
San Francisco, CA 94105
Email: hello@truevault.com
2024 © All Rights Reserved. Privacy Policy | Terms of Use | Supplemental Terms | California Privacy Notice