Under the UK GDPR, personal data means any information relating to an identified or identifiable person. That can include obvious details such as a name or email address, but also less obvious identifiers such as customer IDs, location data, online identifiers, or information that can identify someone when combined with other data.
Under the UK GDPR, personal data means any information relating to an identified or identifiable living person. This can include obvious details such as names, email addresses and phone numbers, but also indirect identifiers such as customer IDs, location data, online identifiers, employment records, or information that becomes identifying when combined with other data.
Direct identifiers
Information that identifies someone clearly, such as a name or email address
Indirect identifiers
Information that can identify someone when combined with other details
Why it matters
If information is personal data, UK GDPR duties apply
The starting point is whether the information relates to a living person who is identified or identifiable. The person does not need to be named directly. If someone can be singled out, recognised, contacted, profiled, or linked to the information, it may still be personal data.
Names, personal email addresses, phone numbers, postal addresses, account numbers, staff IDs, and customer records can all be personal data where they relate to an individual.
Personal data can include opinions, notes, behaviour, preferences, performance records, complaints, communications, and other information connected to a person.
Once information is personal data, organisations need to consider their lawful basis, transparency duties, and wider accountability responsibilities.
Personal data is not limited to information that names someone. The UK GDPR also covers information that can indirectly identify a person, particularly where it can be combined with other details already held by the organisation or reasonably available to it.
A person is directly identified where the information clearly points to them, such as a full name, personal email address, phone number, or named customer record.
Cookie IDs, IP addresses, device identifiers, advertising IDs, and analytics identifiers can be personal data where they relate to an identifiable person.
The same piece of information may be anonymous in one setting but personal data in another if the organisation can link it back to an individual.
All special category data is personal data, but not all personal data is special category data. This distinction matters because special category data has extra legal restrictions under the UK GDPR.
This can include contact details, customer records, browsing behaviour, location data, staff files, transaction history, account notes, and other information connected to a living person.
This includes data such as health information, biometric data used for identification, racial or ethnic origin, political opinions, religious beliefs, and sexual orientation.
First ask whether the information is personal data. Then ask whether it falls into a more protected category. If it does, the organisation may need additional safeguards and a separate condition. See Special Category Data Explained Under UK GDPR.
Personal data mistakes often happen because organisations think too narrowly about identification. The risk is not just obvious names and contact details, but whether information can reasonably be linked back to someone.
A work email address or business phone number can still be personal data if it relates to an identifiable individual.
IP addresses, cookie IDs, device identifiers, and advertising IDs may be personal data where they relate to an identifiable person.
Pseudonymised data is usually still personal data because re-identification may be possible with additional information.
Personal data can include notes, assessments, opinions, decisions, complaints, and records about a person, not just factual identifiers.
If an organisation fails to recognise personal data, it may miss core GDPR duties such as lawful basis, transparency, retention, security, rights handling, and accountability.
This article is based on ICO guidance on what counts as personal data, together with UK GDPR provisions that define personal data and shape how organisations should handle information relating to identifiable people. It also connects to wider duties around lawful basis, transparency, accountability, and the distinction between ordinary personal data and special category data.
Use the glossary for key terms, or download the checklist if you want a practical starting point for identifying what personal data your organisation collects, uses, stores, shares, and needs to protect.
