What is Personal Data?
If you can identify a person, it's personal data.
Overview
Data privacy law is built on one foundational concept: personal data. If you cannot identify what counts as personal data β and why β you cannot apply any of the rules that flow from it. Answer the five questions below. Be precise. Vague generalisations will not score well.
Read before you answer
Personal data, under GDPR, is any information relating to an identified or identifiable natural person β the "data subject." A person is identifiable if they can be identified directly or indirectly, by reference to an identifier such as a name, an ID number, location data, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. The key word is "or" β a person does not need to be directly named for information about them to be personal data. A dataset containing no names but combining postcode, date of birth, and job title may still be personal data if someone could use that combination to identify a specific individual, even with some additional effort.
GDPR draws a distinction between ordinary personal data and special categories of personal data, which are accorded stronger protection because of their particular sensitivity. The special categories under Article 9 are: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a person, health data, data concerning sex life, and data concerning sexual orientation. Processing special category data is prohibited unless one of a specific set of conditions applies β including explicit consent from the data subject, necessity for employment law purposes, vital interests, or scientific research with appropriate safeguards. Criminal offence data is similarly restricted under Article 10.
Pseudonymisation replaces directly identifying information with a reference code, but if the key linking the code to the individual is retained anywhere, the data remains personal data β because re-identification is possible with the key. True anonymisation removes all reasonable means of re-identification, including through combination with other datasets, and data that is genuinely anonymous falls outside the scope of GDPR entirely. The distinction matters practically: pseudonymised data still requires legal basis, appropriate security, and compliance with data subject rights; anonymised data does not. Achieving genuine anonymisation is harder than it appears β researchers have repeatedly demonstrated re-identification of supposedly anonymous datasets using publicly available information.