UK General Data Protection Regulation (UK GDPR)
What is considered personal data under the UK GDPR?
In order to understand if the UK General Data Protection Regulation (UK GDPR) applies to your activities, you must know whether or not you are processing personal data.
What is personal data?
Personal data is information that relates to an identified or identifiable individual. An individual is 'identified' or 'identifiable' if you can distinguish them from other individuals. Common means of identifying someone may include, for example:
- date of birth
- identification numbers
- bank details
- addresses, including email addresses
- other location data, such as an IP address
- online identifiers
Other factors, or a combination of factors, may also identify an individual. For example:
- information about sole traders, employees, partners and company directors, that identifies and relates to them as an individual
- pseudonymised data, ie data where identifiers have been removed or replaced, but a residual risk of re-identification remains
If it is possible to identify an individual directly or indirectly from the information you are holding or processing, then that information may be personal data.
Sensitive personal data
Personal data may also include special categories of personal data, such as:
- data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or a person's sex life or sexual orientation
- data on criminal conviction and offences
These are considered to be more sensitive and you may only process them in more limited circumstances.
Does your data relate to an individual?
For data to be 'personal data', it must relate to a living, identifiable individual. To decide if data relates to an individual, you may need to consider:
- the content of the data - is it directly about the individual or their activities
- the purpose you will process the data for
- the results of (or effects on) the individual from processing the data
It is possible that the same information is personal data for one controller's purposes but is not personal data for the purposes of another controller.
The UK GDPR does not extend to information about a deceased person, information about companies or public authorities, or anonymised data (if it is truly anonymous).
In some cases, it may be difficult to determine if data is personal data. The ICO has published detailed guidance on determining what is personal data. If in doubt, treat the information with care, ensure that you have a clear reason for processing the data and make sure you hold and dispose of it securely.
How long can you keep personal data?
The UK GDPR explicitly states that you must keep personal data 'no longer than is necessary' for the purposes for which the personal data is processed. It doesn't, however, specify how long is 'longer than necessary'.
Statutory retention periods may apply to some types of data records - for example, you must keep P60s and P45s for at least six years - but for most other records, you can exercise your discretion.
The regulation puts emphasis on data minimisation, both of the volume of data stored and how long you retain it. You should therefore keep the data:
- for the least amount of time that you can
- in accordance with the requirements of your business
- stored securely while it is in your possession
- until it reaches the appointed deletion time
See more on accountability under the UK GDPR.
This guide does not constitute legal advice and is provided for general information purposes only.
ICO Helpline0303 123 1113