The GDPR’s definition of personal data is now much broader than under the DPA 1998. Article 4 GDPR states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. It states:
“an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” (Art. 4 GDPR)
This broad definition includes a) any information relating to an identified individual, or b) any information relating to someone who could be identified based on a variety of identifiers.
The ICO offer this simple and straightforward example in their Website:
‘John Smith, who works at the Post Office in Wilmslow.’
This may normally be enough information to directly identify an individual. However, if it is a common name and there is more than one John Smith who works for this organisation, you would need further details to directly identify them, such as:
‘John Smith with blonde hair and green eyes with a tattoo on his right arm, who works at the Post Office in Wilmslow.’
This additional information helps to single out that particular individual.
The GDPR indicates what other factors can be considered as “identifiers”, namely:
“…one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
“The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes”.
Data collection and/or processing to track and understand consumers’ behaviours likely qualifies as personal data.
So, an identifier can be:
- name;
- identification number;
- location data; and
- an online identifier.
Regarding the latter, a non-exhaustive list is included in Recital 30:
- internet protocol (IP) addresses;
- cookie identifiers; and
- other identifiers such as radio frequency identification (RFID) tags.
Other examples of online identifiers that may be personal data include:
- MAC addresses;
- advertising IDs;
- pixel tags;
- account handles; and
- device fingerprints.
Some circumstances might create a “grey area”, making it difficult for one to distinguish particular data from personal data. As a matter of good practice, you should always handle data as though it is personal data by keeping the information secure; protecting it from inappropriate disclosure; being open about how you are collecting the data; and by ensuring that you are justified in any processing.