Privacy often goes wrong because people do not realise they are working with personal data. An export file, a screenshot of a chat, a list of attendees: it looks harmless, but it is all data about people. Once you learn to recognise what personal data is, you handle it more carefully by default. This article helps you spot it in your daily work.
What is personal data?
Personal data is any data that lets you identify a person, directly or indirectly. A name or email address is obvious, but a staff number, licence plate, IP address or photo counts too.
Indirect is trickier, and that is exactly where things go wrong. Separate pieces of data look anonymous, but together they point to one person. "The project lead in department X who fell ill last week" names no one, yet is traceable to a real person.
Where do you meet it in your work?
Personal data sits in more places than you think. A few common examples:
- Email and calendar: recipients, attendee lists, minutes with names.
- Exports and reports: customer lists, member records, salary overviews.
- Screenshots: a screenshot of a chat or record quickly contains names or numbers.
- Forms and sign-ups: anything you collect about participants or applicants.
- Photos and video: identifiable people on camera are personal data too.
Ordinary and special data
Not all personal data is equally sensitive. A business email address is a different matter from someone's health situation. The GDPR therefore has a separate category: special category data, such as health, religion, ethnicity, political views and biometrics.
Stricter rules apply to that special data. It helps to pause at each file and ask: is there anything sensitive in here? That one moment of thought prevents a lot.
Why recognition is half the work
You can only protect data once you realise it is personal data. The employee who knows an export file is full of customer data will naturally check the recipient before emailing it. The one who does not realise sends it on carelessly.
Recognition is therefore the first and most important step. All later care, sharing deliberately, not keeping data too long, reporting doubt, begins with that single realisation: this is about people.
A simple rule of thumb
For every file, message or screen, ask one question: can I identify a person from this? If the answer is yes, you are working with personal data and care is warranted.
If you doubt whether something is sensitive, treat it as if it is. Caution costs you a few seconds; a breach costs the organisation far more.
How to embed this in your awareness programme
Make recognition concrete and recognisable. In short exercises, show examples from real work and let people point out where the personal data sits. That trains the eye better than a legal definition.
Repeat it on a steady rhythm and tie it to behaviour: people who learn to recognise personal data start sharing and storing it more consciously.
Related articles
- What is the GDPR and what does it mean for you?
- Data protection and privacy: GDPR essentials for employees
FAQ
Is a business email address personal data?
Yes, if it points to an identifiable person, such as first.last@company.com. A generic address like info@company.com usually is not, because it cannot be traced to one person.
Is data without a name always anonymous?
No. Separate pieces of data can still point to one person. A role, department and date together often make someone identifiable. It is truly anonymous only when re-identification is impossible.
Do photos and video count?
Yes. Identifiable people on camera are personal data. Be careful when creating, sharing and keeping images in which people can be recognised.
What is special category data?
Extra sensitive data such as health, religion, ethnicity, political views and biometrics. Stricter rules apply; only process and share it under strict conditions.
What do I do if I am unsure whether something is personal data?
Treat it as if it is. Ask yourself whether you can identify a person from it; when in doubt, err on the cautious side and share only through approved channels.