1.1 What Is Personal Data?
Module 1: What Is Data Privacy?
Defines personal data, explains directly and indirectly identifying information, and introduces sensitive data categories.
Learning Material
1 pagesWhat Is Personal Data?
Personal data is any information that can be used to identify you — directly or indirectly. The definition is broader than most people expect, and understanding it is the foundation of every privacy right you hold.
Under Europe's General Data Protection Regulation (GDPR), personal data is "any information relating to an identified or identifiable natural person" (GDPR, Art. 4(1)). This benchmark definition has shaped privacy law worldwide. You are 'identifiable' if you can be singled out by reference to a name, an ID number, location data, an online identifier, or any combination of factors specific to you.
Two types of personal data
Directly identifying data names you without additional steps: your full name, passport number, national insurance number, email address, or home address.
Indirectly identifying data identifies you when combined with other information. Your IP address, a cookie ID, or a GPS coordinate alone may not reveal your name — but linked to an internet provider's records or a map of your commute, they point straight to you. In a landmark study, researcher Latanya Sweeney (2000) showed that 87% of Americans could be uniquely re-identified using just three data points: ZIP code, date of birth, and sex.
Sensitive personal data: a protected sub-category
Certain categories receive extra legal protection because of the specific harms their exposure can cause. Under GDPR Art. 9, these include: racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data used for unique identification, health information, and data about sexual orientation.
The rationale is concrete. Leaked health data can affect your insurance premiums. Disclosed political views can endanger you under authoritarian governments. Biometric data — your fingerprint or face scan — cannot be changed like a password; once leaked, it is compromised forever.
Anonymization versus pseudonymization
Not all data about people is personal data. Truly anonymized data — where re-identification is genuinely and irreversibly impossible — falls outside most data protection frameworks. The catch: real anonymization is technically difficult. Pseudonymization (replacing names with codes) dös not make data non-personal if the code can be reversed by someone with access to the key.
Your takeaway
The next time you fill in a form, use an app, or visit a website, ask yourself: could this information identify me — directly, or in combination with other things? If yes, it is personal data. And where there is personal data, there are rights.