What is personal data?

The GDPR will make the issue of personal data a potentially expensive business issue

The EU GDPR has brought a renewed focus on the subject of personal data. Organisations will need to be able to tell individuals what information they hold on them, and delete that data if requested to. We also know that any breach resulting in the loss of personal data can result in a heavy fine and a ruined reputation, so all organisations should be making sure that personal data is stored in a secure manner, and that it can be easily rounded up on request.

Almost every organisation stores and processes personal data of one kind or another, be that emails, names and addresses, employment details, logins and passwords or health records. But some personal data is easier to define than others. In fact, IT professionals tasked with getting the house in order could be forgiven for asking, "what exactly is personal data?".

Broadly speaking, personal data may be defined as "Any information relating to a living, identified or identifiable natural person". That's clear enough on the face of it, but there are some interesting contextual edge cases.

A piece of data such as someone's age or gender might not be enough identify that individual on its own. However, if it is likely that the organisation will be able to combine that information with other data, such as a post code in the future in order to build up a profile, then it may indeed be considered as personal data.

A photo of a person in a crowd where they are not the main subject may not be personal information, but if the individual is the focus then that picture could be categorised as such.

In a recent Computing survey, respondents were asked about their understanding of what constitutes personal data, most based on current ICO definitions according to the Data Protection Act.

Best understood was "Data that's linked to an individual, providing particular information about that individual," with 48 per cent choosing that option, whereas "Data that has an individual as its central theme or focus, rather than being in relation to some other person or event," was only thought to be personal by 25 per cent.

"Data allowing you to identify an individual personally; does not apply to business professionals", is not actually an ICO definition, yet until now for practical purposes it has been true. B2B marketers have been able to contact people at work in a way that would be inappropriate - and illegal - were the same person at home in a private role. Under the GDPR this role-based distinction between "juridical" and "natural" persons will be swept away, one of the many big changes on the way.

Join Computing for our upcoming discussions Gearing up for the GDPR: Efficient Data Management in London and Manchester.