What is Personal Data? – a Simple Explanation

what is personal data

Personal data is a term that should be relatively self-explanatory.

But if it was so simple, you wouldn’t be reading this blog. A blog that you probably found sitting alongside about a dozen other blogs trying to answer the same question: what is personal data?

You made the right choice by choosing this one because we’re not satisfied with just copying and pasting the legal definition and pretending we all know what it means.

We’ll go through the official definition and translate it into plain, easy-to-follow English.

So, if you work with personal data (or suspect you do), you can read our guide to know precisely if UK data protection rules apply to you.


Personal data and the rights of the person to whom the data relates are governed by the UK’s General Data Protection Regulation (GDPR). UK GDPR is implemented by the Data Protection Act 2018, written into law after the UK left the European Union and EU GDPR no longer applied. However, the UK GDPR is identical to the EU GDPR for all intents and purposes.

And you thought personal data law was complicated.

Really, all you need to know is that UK GDPR laws govern personal data use in this country.

GDPR Awareness Training

Our GDPR Awareness Training course provides a thorough understanding of the key aspects of general data protection regulations, data security levels and different types of threats that organisations or workplaces may face.

GDPR Principles for Organisations

Any organisation that collects, uses or stores personal data (or ‘processes’ personal data to use GDPR terminology) must comply with legislation and make sure that the data is:

  • Used fairly, lawfully and transparently
  • Used for a specified reason
  • Never used beyond the reason given
  • Accurate
  • Only kept for as long as it’s needed
  • Held securely and protected against unauthorised access, destruction or damage

GDPR Protections for People

UK GDPR also protects people’s digital rights and gives people legal entitlement to:

  • Keep their identity and data private
  • Know when their data is being collected or used
  • Know how and why their data is being used
  • Access any personal data that’s been collected
  • Correct mistakes or falsehoods in any collected data
  • Have any collected personal data deleted

The Legal Definition of Personal Data

Under UK GDPR legislation, personal data is defined as:

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier.

You probably get the gist of what personal data is. But there are also likely a few terms in there that you might be unsure of, so let’s break them down.

Natural Person

A ‘natural person’ refers to a living, breathing human being. UK GDPR specifies a ‘natural person’ as the term ‘person’ can sometimes be applied in legislation to other organisations such as corporations or governments.

So, this use of ‘natural person’ makes it clear that the law applies to individual human rights, not the rights of any organisation.

Data Subject

A ‘data subject’ is the individual to which the data is linked.

Put another way, you’re the data subject if the personal data in question either identifies you or can be used to identify you when combined with other information.

Identified or Identifiable

The definition covers situations where someone is identified or identifiable in personal data.

For example, your employer likely holds records that clearly identify you, such as your name, address and date of birth. If an unauthorised third party gained access to this data, they’d know exactly who you are.

But sometimes, data can only identify you when combined with other information. Think about when you use the internet. Websites will use cookies to track your search history, device IP address and web browser. None of this information specifically identifies you, but an unauthorised third party could use it to identify you if they could match this data against your internet service provider’s records.

Directly or Indirectly

This is closely linked to the point above. Personal data doesn’t always reveal someone’s identity directly. Even a name on its own doesn’t conclusive prove identity.

There will be personal data that can suggest someone’s identity or be used with other examples of personal data to determine it precisely.

Related Information

‘Related to’ means that the information doesn’t have to directly identify a person to qualify as personal data.

Instead, when the information has some connection to an individual and can be used to identify them, it’s protected under UK GDPR.

The legislation is specifically worded to cover as many types of personal data as possible. With so many people using the internet to communicate, shop or work, a vast variety of digital information needs to be protected by GDPR laws.

Personal Data

Online Identifiers

Online identifiers are digital traits that identify or trace a specific user or device online.

These identifiers can be used alone or with other information to identify someone, even if it doesn’t directly reveal personal details.

Examples of online identifiers include:

  • Email addresses – an obvious example, which can identify someone directly (think of how many professional emails are surname@company) or indirectly
  • IP addresses – the unique numbers assigned to devices connected to the internet
  • Account usernames – although they’re not ‘real’ names, they’re still directly linked to a specific person
  • Online cookies – websites track users’ activities to recognise returning visitors and offer specific content

Statistics show that human error, not hackers or malicious third parties, causes the majority of data breaches. And with fines of up to £18 million for personal data failings, ignorance can cost your organisation dearly.

What Does GDPR Mean For Your Organisation?

This depends on the scope of personal data your organisation processes and what it’s used for. But whatever your organisation does with the data, you must keep it safe. So, every employee at every level of your organisation needs to know exactly what personal data is and how to handle it securely.

Our online GDPR Training course gives trainees awareness of GDPR, including relevant legislation, essential terminology and best practice for keeping personal data safe. Trainees will better understand their data protection responsibilities and how to report any suspected breaches to keep your organisation GDPR compliant.

About the author(s)

Authors Photo
Jonathan Goby
Share with others
You might also like