There has been a lack of clarity as to what is defined as personal data under the soon to be introduced General Data Protection Regulation (GDPR). This is because there is no available list of what can be considered as personal data.
The definition is dependent on the specific circumstances of each case and the types of personal information are obtained.
There is some assistance to hand, in that GDPR referes to personal data as data which can be used to identify a living person. However, this has different consequences for different individuals..
Reviewing What Constitutes Personal Data
Being conscious of what personal data refer to and what will allow a person to be identified, it needs to be reviewed in different contexts.
For example, a man named John Smith cannot be identified by his name alone, as this is such a common name. However, a man called Joseph Shuttleworth could not possibly be identified by his name alone. Should it be the case that a name alone is enough to identify someone then it is though of as personal data. In another scenario, like a business gathering other information, such as what car he drives which city he resides in and what phone he uses, all of this data together could be used to identify him. In this case the information then becomes personal data. The identification of the person is the important part.
One important alteration that comes with GDPR is that, in certain instances, identifiers such as an IP address could be considered personal data.
How Can Businesses Prepare Themselves
Given the amendments to the definition of personal data under GDPR, it is important for businesses to complete an audit of the data they gather, to see if it could be defined as personal data, and to decide if they have gained adeuqate consent to store and use it. Not doing so could lead to them receiving a harsh penalty, such as a massive fine.