The UK’s data protection regime places strict obligations on those who process personal data – but what is caught by the definition of “personal data”?

Under the UK’s General Data Protection Regulations (UK GDPR) “personal data” refers to information relating to an identified or identifiable natural person.

Article 4(1) of UK GDPR defines an ‘identifiable natural person’ as someone who can be identified, directly or indirectly, in particular by reference to an identifier, for example:

• a name;
• an identification number;
• location data;
• an online identifier; or
• to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Ultimately, the UK’s data protection regime requires organisations to conduct an assessment of whether a person is “identifiable” from the information they hold.

This can be quite straight forward, as certain types of information are clearly able to identify an individual. For example, for a company selling directly to consumers, where the order process requires it to obtain the customer’s name, address and telephone, the information will be sufficient to clearly identify one individual. This will therefore be considered personal data and will be subject to the obligations on processing this data.

Other types of personal data could include: –

• Personal information, such as name and address
• Family details
• Lifestyle and hobbies
• Education and training
• Health-related information
• Employment data
• Financial information
• Data collected and processed for the purposes of online behavioural advertising
• Contractual information (for example, goods and services provided to or by the data subject)

However, it can often be less clear-cut. For example, a popular name alone, such as “John Smith” may not be sufficient to clearly identify one individual, so it may not be caught by the definition of personal data. In such a case, the following factors should be considered to determine whether the information held will be considered “personal data”. These categories of personal data are:

• Identifiability – can an individual be distinguished from other individuals;
• Whether someone is directly identifiable – for example a name and address together, or a corporate email address containing both the name and place of work will directly identify an individual;
• Whether someone is indirectly identifiable – where information from another source could be used to identify the individual, such as a car registration as this could be linked to additional information on the DVLA website;
• The meaning of ‘relates to’ – for example, data that could identify an individual without naming them, such as a criminal record or medical history

If it remains unclear as to whether the information is sufficient to meet the definition of personal data under UK GDPR, as a matter of good practice, data including any of these features should be treated as though it is personal data.

It’s ultimately a low threshold, and there can be serious consequences for getting it wrong. Under the Data Protection Act 2018 organisations processing personal information are required to pay a data protection fee (unless exempt), which must be renewed yearly. Failure to do so can result in a fine of up to £4,000.

This can be a complicated area to navigate. If you require assistance in with data protection, please contact a member of the Data Protection team who will be happy to assist.