2LRN4 security awareness platform
← Back to overview

Recognising personal data: what counts and what doesn't?

Names and addresses are not the only personal data. Learn to recognise what falls under the GDPR, including less obvious examples like IP addresses and licence plates.

The GDPR applies as soon as you process personal data. But what exactly counts? Many people think only of names and addresses. In reality the concept is far broader: any data that can be traced to a person counts. Recognising that tells you when the privacy rules come into play.

The definition: traceable to a person

Personal data is any information about an identified or identifiable natural person. "Identifiable" is broad: even if you can only trace someone with extra information, it still counts.

So it covers not only direct data such as a name, but also indirect data: a combination of date of birth, postcode and gender can make someone unique, even without a name.

Examples people often forget

Besides name, address and email, these also count:

  • IP address and cookie ID: traceable to a device and often to a person.
  • Licence plate: linked to an owner.
  • Photos and video: where someone is recognisable.
  • Location data: where someone was and when.
  • National ID and employee number: unique identifiers.
  • Voice and handwriting: can lead to a person.

Special and criminal data

Some personal data is extra sensitive: health, racial or ethnic origin, religion, political opinions, trade union membership, sexual orientation and biometrics. Stricter rules apply.

Data on criminal offences and national identifiers also enjoy additional protection. When you encounter these, handle them with extra care and share them only through approved channels.

How to embed this in your awareness programme

Recognition is the core skill; aim your programme at the question 'when does the GDPR apply?'.

  • Have staff classify examples in short exercises: personal data or not.
  • Use examples from their own work, such as an Excel of email addresses, a photo or an IP log.
  • Repeat through microlearning, because recognition fades without practice.
  • Offer depth per audience via our course catalogue.

FAQ

Is a work email address personal data?

Usually yes. An address like firstname.lastname@company.com is traceable to a person and therefore falls under the GDPR. A generic address like info@company.com generally does not.

Is an IP address personal data?

Yes, as a rule. An IP address is traceable to a device and often to a person, especially combined with other data. The GDPR therefore treats it as personal data.

Does data of deceased people fall under the GDPR?

No, the GDPR applies only to living people. Note, though, that national rules or professional secrecy may still protect it, and data of the deceased may simultaneously contain data of the living.

Is anonymised data still personal data?

Genuinely anonymised data, no longer traceable to a person, falls outside the GDPR. Pseudonymised data does fall under it, because it is still traceable with extra information.

Does a combination of separate data count?

Yes. Individual data may seem harmless, but a combination such as date of birth, postcode and gender can uniquely identify someone. The privacy rules then fully apply.

Want help with implementation?

Book a short demo or discuss your use case. We respond quickly.

Book a demo View support