Personal data


Personal data is data related to a Digital Subject

Personal data has many different definitions within both Regulatory compliance and Standard compliance.

Personal data certainly would include Personally Identifiable Information and Patient Data and some definitions include using Identity Correlation

Personal data and Contexts#

Personal data may be classified within two broad categories:

Organizational Entities may be Sensitive Data or have a Data Classification of Confidential data but NOT Personal data or (Personally Identifiable Information (PII))

Personal data and Medical Care#

Personal data within the context of Medical Care we refer to as Patient Data is considered Personal data. This Patient Data is interpreted differently even within the different contexts within Medical Care


Within HIPAA Protected Health Information is considered Personal data even though it is not directly able to provide Identification.

European Commission (GDPR PSD2)#

According to the European Commission "Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. Personal data can be anything from a name, a photo, an email Address, bank details, posts on social networking websites, medical information, or a computer’s IP Address." [1]

Personal data only includes information relating to Natural Persons who:[4]

  • can be identified or who are identifiable, directly from the information in question; or
  • who can be indirectly identified from that information in combination with other information.
  • Personal data may also include special categories of Personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
  • Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still Personal data.
  • If Personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what Personal data is in order to understand if the data has been anonymised.
  • Information about a deceased person does not constitute Personal data and therefore is not subject to the GDPR.
  • Information about companies or public authorities is not personal data.
However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute Personal data.

Any information related to an identified or identifiable Natural Person that could be used to directly or indirectly identify that Natural Person is covered by GDPR. Such data includes: (but is not limited to)

entities are responsible for any Personal data they collect, whether that data resides in a customer database, employee database, or even a supplier database. What’s more, Custodian of personal data collected by a company — even if they just store the data and don’t have access to it — need to comply with the GDPR or risk being fined.

Specific mention and inclusion of data relating to:

is included.

Not only is the Personal data itself covered by the General Data Protection Regulation, but everything that’s done with the data, too. "Processors [of data] also have a Responsibility," Hammarstrand said. "What’s new in this legislation is they have a direct responsibility. They could actually be reviewed and fined if they are not complying with the legislation."

More Information#

There might be more information for this subject on one of the following: