Q&A - the GDPR: what is personal data?
Q. We are preparing for the General Data Protection Regulation (GDPR) which comes into force on 25 May 2018 . Could you clarify what constitutes personal data under the GDPR?
A. Under the GDPR personal data is any information that can directly, or indirectly, identify a natural person who is known as a “data subject’. Examples are: a name, a photo, an e-mail address, bank details, posts on social networking websites, a computer IP address or a phone number. This is wider than the definition of personal data under the Data Protection Act 1998 . In addition, the GDPR carves out “sensitive personal data”. These are special categories of personal data which uniquely identify an individual when processed. It will consist of any information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data and data concerning health or sexual orientation. Personal data can be held in a manual format, e.g. handwritten notes, and electronic formats, e.g. computer records. The Information Commissioner’s Office has produced several GDPR guidance documents for small businesses which are free to download (see The next step ).
For the ICO’s GDPR resources for small businesses, visit http://tipsandadvice-business.co.uk/download (CD 19.14.08).