What is Personal Data? Definition & Types

Personal Data Defined

If you are processing any kind of information relating to people, it's vital to understand if you are indeed processing personal data, and if your processing is compliant with data protection regulations.

While the specifics may vary depending on your region and the applicable regulations, put simply, personal data is any information that relates to an identified or identifiable individual, including any information that can be used to directly or indirectly identify a person.

This personal data could be as simple as a name, but could also include other identifiers, such as an IP address, browsing history, or even cookies (the small files websites save to your computer to store preferences).

The protection and privacy of personal data, in all its many forms, has become a significant concern and has led to the development of data protection regulations and laws in various jurisdictions, such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the United States.

These regulations aim to safeguard individuals' rights and impose obligations on organisations regarding the collection, storage, processing, and sharing of personal data. Though, before considering these regulations, it is worth taking the time to understand the types of personal data you may deal with.

Types of Personal Data

General Personal Data

As we noted, personal data can encompass a wide variety of information relating to a person who can be identified or who are identifiable, directly from the information in question, or who can be indirectly identified from that information in combination with other information.

This type comprises of data such as:

• Basic personal information: This includes details such as name, address, phone number, email address, date of birth, and social media handles.

• Contact information: This includes information that allows for communication with an individual, such as work or personal email addresses, phone numbers, and postal addresses.

• Employment-related data: This includes information about an individual's employment, such as job title, work history, performance evaluations, and professional contact details.

• Financial data: This includes information related to an individual's financial status, such as bank account details, income, and financial transactions.

• Educational background: This includes information about an individual's educational qualifications, degrees, certifications, and educational institutions attended.

• Online identifiers: This includes information collected through online platforms and activities, such as IP addresses, cookies, device IDs, and website browsing history.

• Transactional data: This includes information related to transactions or interactions with an organisation, such as purchase history, order details, and customer service interactions.

• Social media data: This includes information shared on social media platforms, such as posts, comments, likes, and connections.

Special Category

Under the GDPR, special category data (previously referred to as sensitive personal data) refers to specific categories of personal data that are considered particularly sensitive and require additional protection. These categories, as defined in Article 9 of the GDPR, include the following:

1. Racial or ethnic origin: Data that reveals an individual's racial or ethnic background.

2. Political opinions: Data concerning an individual's political beliefs or affiliations.

3. Religious or philosophical beliefs: Data that reveals an individual's religious or philosophical beliefs.

4. Trade union membership: Data related to an individual's membership in a trade union.

5. Genetic data: Data concerning an individual's inherited or acquired genetic characteristics, which can provide information about their health or biology.

6. Biometric data for the purpose of uniquely identifying an individual: Data obtained through specific technical means that enable the identification or verification of an individual, such as fingerprints, facial recognition, or iris scans.

7. Health data: Data related to an individual's physical or mental health, including medical history, diagnoses, treatments, prescriptions, and information obtained through medical examinations.

8. Data concerning an individual's sex life or sexual orientation.

The GDPR specifically imposes stricter conditions for processing special category data. Processing this type of data is generally prohibited unless specific conditions are met.

These conditions include explicit consent from the data subject, processing for certain purposes (such as for medical diagnosis or employment-related obligations), or processing carried out by certain entities (such as healthcare professionals or social security institutions) under strict confidentiality obligations.

Organisations that handle special category data are required to implement appropriate safeguards and security measures to protect the confidentiality and integrity of such data. Additionally, they may need to conduct a data protection impact assessment (DPIA) before processing special category data to assess and mitigate any potential risks to individuals' rights and freedoms.

Pseudonymised & Anonymised Personal Data

While it is worthwhile taking a close look at the above detailed types of personal data, you should also remember that, under the GDPR, even personal data which has been de-identified, encrypted or even pseudonymised, but can be used to re-identify a person still counts as personal data, and thus falls within the scope of the GDPR.

Though, personal data which has been rendered irreversibly anonymous in such a way that the individual is no longer identifiable is no longer considered personal data.