GDPR: What is Personally Identifiable Data?

GDPR was established by the EU to protect individuals’ data from malicious actors–and from being inappropriately leveraged in marketing, sales, or any other corporate transaction.

GDPR considers personal data a combination of four elements:

  1. “any information”
  2. “relating to”
  3. “an identified or identifiable”
  4. “natural person”

Let’s break each of those categories down.

Natural Person

The person must be alive in order to be considered a natural person.

Any Information

Includes objective information about an individual.  Examples:

  • Height
  • Weight
  • Skin tone
  • Hair color
  • Eye color
  • Physical description
  • Foot size
  • Fingerprint
  • Medical condition
  • Medication
  • Biometric

This is not limited to a specific format or delivery vehicle. Examples: Audio, Video, Photograph, Numerical, or Graphical

Identifiable individuals and identifiers

Combined with the above, the following personal information or personal information can be used to directly and/or indirectly identify an individual.

  • Name and surname
  • Email address
  • Phone number
  • Home address
  • Date of birth
  • Race
  • Gender
  • Political opinions
  • Credit card numbers
  • Data held by a hospital or doctor
  • Photograph where an individual is identifiable
  • Identification card number
  • A cookie ID
  • IP address
  • Location Data
  • Advertising id from phone
Personal data that relates to an identifiable individual

In this category, data that is used for learning or making a decision about an individual or that relates to an individual is considered personal data. This can also include data that, after processing, could have an impact on the individual.

This all comes down to how the data is processed and used.  A predominant example of this is a photographer taking a photo, which includes individuals, license plates, and other identifiers. This scenario does include personal data and wouldn’t be subject to GDPR rules.  However, if that photograph is leveraged by law enforcement or investigative authorities to identify individuals, then it would be considered as processing data about identifiable individuals.

Share this post with your network:

LinkedIn