What is personal data under GDPR?

Personal data under GDPR is any information relating to an identified or identifiable natural person, including direct identifiers like a name and indirect identifiers like an IP address when it can be linked to an individual.

When does the question of personal data arise in an organisation?

The question of personal data arises whenever an organisation collects, stores or otherwise processes information that can be connected to an individual, for example in recruitment, customer management, marketing or the use of cookies and other digital identifiers.

What are key considerations when processing personal data?

When processing personal data an organisation should identify purposes and data types, ensure a lawful basis under Article 6 GDPR, document processing under Article 30 GDPR, apply appropriate security measures, inform individuals of their rights, and carry out a DPIA where the processing is likely to result in high risk.

Personal data

Personal data is any information that directly or indirectly identifies, or relates to, a natural person.

Glossary
Personal data

Explained – what does personal data mean?

Personal data is defined in Article 4(1) GDPR as any information relating to an identified or identifiable natural person. This may include names, addresses, email addresses, telephone numbers or IP addresses, as well as information that can be linked to an individual indirectly. The regulation of personal data is central to data protection law and is particularly significant for organisations processing large data volumes. A GDPR consultant can help businesses ensure that handling is lawful and that the right information is treated as personal data in line with GDPR. Engaging structured GDPR consulting services or a seasoned GDPR compliance consultant is often the most efficient route to robust compliance.

When does the question of personal data arise?

The question arises whenever an organisation collects, stores or otherwise processes information that can be connected to an individual. Typical contexts include recruitment, customer management and marketing. Technical solutions that use cookies and other digital identifiers are also within scope of the rules on personal data. Where uncertainties persist, a GDPR compliance consultant can assess whether processing falls under GDPR and recommend proportionate controls as part of GDPR consulting services.

Key considerations for processing personal data

To handle personal data lawfully, organisations must follow core principles. Below are key starting points.

Identify which personal data are processed and for what purposes.
Ensure a lawful basis exists under Article 6 GDPR.
Document the processing in a record of processing activities under Article 30 GDPR.
Implement technical and organisational security measures to safeguard the data, such as encryption and access controls.
Inform data subjects of their rights, for example the rights to information, rectification and erasure.
Observe the specific rules for special category personal data under Article 9 GDPR.
Conduct data protection impact assessments (DPIAs) for processing that may pose a high risk to individuals’ fundamental rights and freedoms.

By addressing these points systematically, organisations create clarity in processing and strengthen trust among customers and employees. Where needed, a GDPR consultant can provide targeted GDPR consulting services to embed controls efficiently.

Personal data

Why is personal data important?

Personal data underpins many operational processes and business models, from customer service to the development of digital services. Because it relates directly to individuals, it is essential that processing complies with data protection rules to safeguard privacy.

By meeting GDPR requirements, organisations reduce the risk of regulatory action and demonstrate respect for individuals’ rights. This supports sustainable relationships and builds trust with customers and partners. Expert input from a GDPR compliance consultant ensures practical implementation and ongoing assurance.

Handling personal data correctly is also a competitive advantage. Businesses that actively prioritise data protection are perceived as serious and reliable, strengthening the brand and enabling new opportunities. Where appropriate, seek precise GDPR legal advice from a data protection lawyer or GDPR lawyer to complement operational GDPR consulting services.

Any information that can be linked to an identified or identifiable natural person.

Consent is required where no other lawful basis under Article 6 GDPR applies. It must be freely given, specific, informed and unambiguous (informed consent).

Organisations should work systematically with both technical and organisational measures, for example:

Encryption and access restriction
Procedures for handling personal data breaches
Ongoing staff training
Regular testing and review

Data concerning, for example, health, religion or trade union membership involve heightened risks to individuals. They may be processed only under strict conditions in Article 9 GDPR, together with appropriate safeguards and, where required, a DPIA.

The controller is ultimately responsible for compliance, while processors and employees also play important roles in day-to-day operations. A GDPR consultant or GDPR compliance consultant can support governance frameworks and internal controls.

Anonymised data cannot be linked to an individual and therefore falls outside GDPR. Personal data, even when pseudonymised, remain protected and within scope. Distinguishing the two is essential to determine whether GDPR applies, particularly in analytics and gdpr compliance for marketing contexts.