“Personal data” under Article 4(1) of the General Data Protection Regulation (GDPR) is defined as:

“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

What constitutes personal data is a broad concept but it covers information that relates to individuals such as one’s name, address or health records. However, sometimes it is not clear if the data is in fact personal data and then a case by case assessment must be made as to whether the data could be deemed personal data.

If data is fully anonymised, then the GDPR does not apply. Data is considered ‘anonymised’ when individuals are no longer identifiable. If the data is ‘pseudonymised’, it is still considered personal data. For further information, download the full guidance note on anonymisation and pseudonymisation (PDF, 799KB).