The definition of personal data is the starting point within the GDPR since it only applies to the processing of personal data. We often see that our clients only look for the most obvious types of personal data (names, addresses, …) but are not aware that the definition is much broader and even complex.
Any information of a natural person
The definition of personal data under the GDPR encompasses all types of information related to a natural person, not just textual data. This includes more than just names and addresses; it also covers fingerprints, voice recordings, photos, and other forms of data that can be used to identify someone.
It’s also important to note that the GDPR applies only to the data of living individuals. Company data and the data of deceased people are not protected under the regulation.
Directly identifiable vs indirectly identifiable
Personal data is fundamentally about identifying an individual. Most people are familiar with directly identifiable data, such as full names, addresses, social security numbers, fingerprints, and photos. These are straightforward and easy to identify within your data sets.
On the other hand, indirectly identifiable data is more challenging to spot. While these data elements, on their own, might not immediately identify a person, when combined with other information, they could lead to the identification of an individual.
For example, knowing someone’s birth date and city might not seem to pinpoint a specific person. But if you combine this data with additional details, like their job or current residence, you can narrow down exactly who they are.
It’s like playing a game of “Who’s Who”—once you have enough clues, you can easily identify the individual.
This complexity is what makes determining personal data a challenging task.
Know your data
To effectively manage personal data, it is crucial for organizations to understand both directly and indirectly identifiable data and their implications under GDPR. Regular audits, proper data management, and employee training can help ensure compliance and prevent the accidental exposure of personal information.
Privatum 