What is Personal Data? – a Simple Explanation

Personal data and the rights of the person to whom the data relates are governed by the UK’s General Data Protection Regulation (GDPR). UK GDPR is implemented by the Data Protection Act 2018, written into law after the UK left the European Union and EU GDPR no longer applied. However, the UK GDPR is identical to the EU GDPR for all intents and purposes.

And you thought personal data law was complicated.

Really, all you need to know is that UK GDPR laws govern personal data use in this country.

Any organisation that collects, uses or stores personal data (or ‘processes’ personal data to use GDPR terminology) must comply with legislation and make sure that the data is:

• Used fairly, lawfully and transparently
• Used for a specified reason
• Never used beyond the reason given
• Accurate
• Only kept for as long as it’s needed
• Held securely and protected against unauthorised access, destruction or damage

UK GDPR also protects people’s digital rights and gives people legal entitlement to:

• Keep their identity and data private
• Know when their data is being collected or used
• Know how and why their data is being used
• Access any personal data that’s been collected
• Correct mistakes or falsehoods in any collected data
• Have any collected personal data deleted

Under UK GDPR legislation, personal data is defined as:

You probably get the gist of what personal data is. But there are also likely a few terms in there that you might be unsure of, so let’s break them down.

A ‘natural person’ refers to a living, breathing human being. UK GDPR specifies a ‘natural person’ as the term ‘person’ can sometimes be applied in legislation to other organisations such as corporations or governments.

So, this use of ‘natural person’ makes it clear that the law applies to individual human rights, not the rights of any organisation.

A ‘data subject’ is the individual to which the data is linked.

Put another way, you’re the data subject if the personal data in question either identifies you or can be used to identify you when combined with other information.

The definition covers situations where someone is identified or identifiable in personal data.

For example, your employer likely holds records that clearly identify you, such as your name, address and date of birth. If an unauthorised third party gained access to this data, they’d know exactly who you are.

But sometimes, data can only identify you when combined with other information. Think about when you use the internet. Websites will use cookies to track your search history, device IP address and web browser. None of this information specifically identifies you, but an unauthorised third party could use it to identify you if they could match this data against your internet service provider’s records.

This is closely linked to the point above. Personal data doesn’t always reveal someone’s identity directly. Even a name on its own doesn’t conclusive prove identity.

There will be personal data that can suggest someone’s identity or be used with other examples of personal data to determine it precisely.

‘Related to’ means that the information doesn’t have to directly identify a person to qualify as personal data.

Instead, when the information has some connection to an individual and can be used to identify them, it’s protected under UK GDPR.

The legislation is specifically worded to cover as many types of personal data as possible. With so many people using the internet to communicate, shop or work, a vast variety of digital information needs to be protected by GDPR laws.

Online identifiers are digital traits that identify or trace a specific user or device online.

These identifiers can be used alone or with other information to identify someone, even if it doesn’t directly reveal personal details.

Examples of online identifiers include:

• Email addresses – an obvious example, which can identify someone directly (think of how many professional emails are surname@company) or indirectly
• IP addresses – the unique numbers assigned to devices connected to the internet
• Account usernames – although they’re not ‘real’ names, they’re still directly linked to a specific person
• Online cookies – websites track users’ activities to recognise returning visitors and offer specific content

Statistics show that human error, not hackers or malicious third parties, causes the majority of data breaches. And with fines of up to £18 million for personal data failings, ignorance can cost your organisation dearly.

This depends on the scope of personal data your organisation processes and what it’s used for. But whatever your organisation does with the data, you must keep it safe. So, every employee at every level of your organisation needs to know exactly what personal data is and how to handle it securely.

Our online GDPR Training course gives trainees awareness of GDPR, including relevant legislation, essential terminology and best practice for keeping personal data safe. Trainees will better understand their data protection responsibilities and how to report any suspected breaches to keep your organisation GDPR compliant.