What counts as personal data may include more than you initially realise – our guide explains what personal data is according to UK data protection law.
What is personal data?
Personal data is information that relates to an identified or identifiable person who could be identified, directly or indirectly based on the information.
For example, your name, address, and date of birth were all already considered personal identifiers under the Data Protection Act 1998.
Personal data is regulated by the Data Protection Act. The EU-wide General Data Protection Regulation (GDPR), brought into UK law on 25 May 2018 under the newly revised Data Protection Act 2018, broadened the definition of what counts as personal data.
Personal data includes an identifier such as
- your name
- an identification number, such as your National Insurance or passport number
- your location data, such as your home address or mobile phone GPS data
- an online identifier, such as your IP or email address.
Sensitive personal data is also covered in GDPR as special categories of personal data. The special categories specifically include:
- genetic data relating to the inherited or acquired genetic characteristics which give unique information about a person’s physiology or the health of that natural person
- biometric data for the purpose of uniquely identifying a natural person, including facial images and fingerprints
- data concerning health which reveals information about your health status, including both physical and mental health and the provision of health care services
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- sex life or sexual orientation.
Under existing and new data protection rules anyone who processes personal information must make sure that the information is (amongst other things):
- adequate, relevant and not excessive
- processed fairly and lawfully
- obtained only for one or more specified and lawful purposes, and not further processed in any manner incompatible with that purpose or those purposes
- accurate and up to date
- processed in accordance with the rights of data subjects under the Data Protection Act
- kept for no longer than is necessary
- secure (ie using appropriate technical or organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data).
Data Protection: jargon buster 💪
- Processing is the act of obtaining, recording, holding or using data.
- Data subject is an individual who is the subject of personal data.
- Data controller is a person or organisation that decides how personal data is processed. In many cases they will need the consent of the data subject to do this.
- Data processor is any person or organisation that processes data on behalf of the data controller.
How do companies use my personal data? 🤔
Organisations and businesses which also includes clubs, societies and charities, both large and small, use your personal data for a range of reasons.
Personal data for service or task
Organisations hold personal data for a range of useful reasons necessary to provide a service, not just for marketing.
For many purposes, you would want companies to continue handling your personal information to perform the tasks you need them to.
Personal data for profiling 👤
Companies might also use your personal data to profile you in order to provide better services.
For example, Netflix uses personal data to recommend films and TV programmes that it thinks you may enjoy. Other companies might use information on your shopping habits and social interactions to inform direct marketing and suggest other products to you.
Personalised offers and recommendations may well be welcomed by individuals who want a more tailored service. But for others profiling can be seen as creepy, and invasive.
You have the right to find out how organisations are collecting and using your personal data. This is called a subject access request and we’ve got a guide on how to make a subject access request.
You have the right to object to profiling, including if it is used for direct marketing purposes, and companies must inform you of your right to object at the latest at their point of first communication with you and in their privacy notice.
If they receive an objection to processing personal data for marketing purposes, they must ensure that your personal data is no longer processed for such purposes.
How can I ask a company to stop processing my personal data? 🛑
You have a right to have personal data erased and to prevent processing in specific circumstances.
These include, but are not limited to:
- where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- where the personal data was unlawfully processed
- where you withdraw consent
- where the basis for processing is that it is in the organisation’s legitimate interests, but you object to the processing and there is no overriding legitimate interest for continuing the processing
How do I find out which personal data a company has? 🤔
As a consumer you have the right to make a ‘subject access request’, which allows you to act on your right to obtain access to your personal data held by a company. You can make them for free.
We offer a simple tool and data wallet to take the headache and workload out of making and managing access requests. It’s free, and we don’t collect or hold any of your personal data. The app is available on Apple and Android.
Read our dedicated subject access request guide for more information on how to make a subject access request.