Definition of Personal Data
Personal data refers to any information that can be linked to an identifiable individual. According to the Data Protection Authority, this includes any detail that, when combined with other information, can reveal a person’s identity.
However, it is important to note that information relating to deceased individuals and legal entities like companies does not constitute personal data under the UK GDPR.
Examples of personal data include:
-
Name, address, phone number, and email
-
Identification numbers, such as social security numbers
-
Financial details like payment history and tax records
-
Medical records and genetic information
-
Biometric data, such as fingerprints or facial recognition
With increasing reliance on digital technologies, companies must be cautious when processing personal data, ensuring compliance with the General Data Protection Regulation (GDPR) to mitigate risks and protect individuals’ privacy.
Categories of personal data
GDPR classifies personal data into three main categories:
Personal data is defined as any information relating to an identifiable natural person. An identifiable natural person is one who can be identified, either directly or indirectly, through various identifiers, including pseudonymized data.
1. General personal data and location data
Information relating to general personal data includes everyday information such as contact details, financial records, and employment history. Businesses can process general personal data when it is necessary for providing a service, fulfilling a contract, or complying with legal obligations.
2. Sensitive personal data and biometric data
Sensitive data requires stricter protection due to its potential impact on individuals. This category includes:
-
Racial or ethnic origin
-
Political opinions
-
Religious or philosophical beliefs
-
Trade union membership
-
Biometric or genetic data
-
Health information
-
Sexual orientation
Sensitive personal data also encompasses personal data revealing racial and ethnic origins, which is subject to enhanced protection under GDPR.
Processing sensitive personal data is generally prohibited unless explicit consent is obtained, or legal exceptions apply, such as employment obligations or healthcare purposes.
3. Criminal offense data
Information related to criminal activities, including legal violations and penalties, is subject to special processing rules. Organizations may only process this data in specific situations, such as law enforcement cooperation or when legally required for employment verification.
Confidential information and social security numbers
Confidential data is not explicitly defined under GDPR but includes details requiring additional protection, such as:
-
Income and employment records
-
Education and training history
-
Family relationships and accident reports
While social security numbers (CPR numbers) are not classified as sensitive data, their processing is strictly regulated. Companies must have a legitimate reason to collect and store such numbers, such as compliance with tax reporting laws or financial transactions. An identification number, alongside other identifiers, plays a crucial role in identifying individuals and falls under the regulations governing the processing of personal data. When transmitted electronically, CPR numbers must be encrypted for security.
Lawful processing of personal data
To process personal data legally, businesses must meet at least one of the following conditions:
-
Consent: The individual has given clear permission for their data to be processed.
-
Contractual obligation: Data processing is necessary for fulfilling a contract.
-
Legal obligation: Processing is required to comply with legal duties.
-
Vital interests: The data is necessary to protect an individual’s life or health.
-
Public interest: Processing serves the public good, such as scientific research.
-
Legitimate interests: The organization has a legitimate reason to process the data, provided it does not override individuals’ rights.
Personal data includes any identifiable information, noting that an individual can be identified by one or more factors related to their identity, such as physical, physiological, genetic, mental, economic, cultural, or social characteristics. For a deeper understanding of who should have access to personal data and how to protect it, read our blog post on who should have access to your personal data.
Data protection for children
Children’s personal data is subject to enhanced protection, especially in online services like social media. Companies must obtain parental consent before processing a child’s data and ensure that all communication is written in clear, child-friendly language. With social media platforms posing significant privacy risks, it's crucial to understand their vulnerabilities – explore our blog post on the vulnerability of social media to learn more.
Ensuring compliance and security
To protect personal data, businesses should implement the following security measures:
-
Strong encryption: Protect sensitive information during storage and transmission.
-
Access control: Restrict access to personal data to authorized personnel only.
-
Regular security audits: Identify and mitigate potential vulnerabilities.
-
Data minimization: Only collect and store the necessary amount of data.
-
Incident response plans: Establish clear protocols for handling data breaches.
Additionally, ensuring that personal data is part of a structured filing system is crucial for GDPR compliance, as unstructured data may not receive the same protections.
By following GDPR guidelines, businesses can ensure data protection, maintain compliance, and build trust with customers.
Data subject rights
Under the GDPR, data subjects are granted several rights to ensure their personal data is handled with care and transparency. People have the right to see their personal data, correct any mistakes, ask for it to be deleted (also known as the right to be forgotten), and control how it’s used. Additionally, data subjects have the right to data portability, allowing them to transfer their data between service providers, and the right to object to the processing of their data. If data subjects believe their rights are being infringed, they have the right to lodge a complaint with a supervisory authority.
Importance of personal data protection
Protecting personal data is crucial for safeguarding individuals from potential harm, such as identity theft, stalking, and discrimination. It also plays a vital role in maintaining trust between individuals and organizations that handle their data. Ensuring that personal data is processed in a fair, transparent, and accountable manner is fundamental to upholding privacy rights. The GDPR provides a robust framework for data protection, and non-compliance can result in significant fines and reputational damage for organizations. Want to understand how identity theft happens and how to protect yourself? Explore our guide on identity theft.
Personal data in the digital age
In today’s digital age, the collection, processing, and sharing of personal data have become ubiquitous. This shift has introduced new challenges in protecting personal data from cyber threats and ensuring it is not used in discriminatory or unfair ways. The GDPR addresses these challenges by setting stringent requirements for data protection in the digital realm. Organizations that handle personal data online must adhere to these regulations to ensure the security and privacy of the data subjects.
Best Practices for personal data management
Effective personal data management involves implementing robust measures to protect data, such as encryption and pseudonymization. Organizations should ensure that personal data is collected and processed only for legitimate purposes and that data subjects are fully informed about how their data is being used. Providing data subjects with access to their data and enabling them to exercise their rights under the GDPR is also essential. Regularly reviewing and updating data management policies and procedures is crucial to maintaining compliance with the GDPR and other relevant regulations.
Final thoughts
Personal data protection is a fundamental responsibility for businesses operating in today’s digital landscape. Understanding GDPR requirements and implementing strong security measures are essential for safeguarding individuals’ privacy and maintaining regulatory compliance. Personal data under GDPR includes various factors specific to an individual's identity, including social identity. By prioritizing transparency, accountability, and security, companies can foster trust and mitigate risks associated with data processing.
This post has been updated on 19-02-2025 by Sarah Krarup.

Sarah Krarup
Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.
View all posts by Sarah Krarup