What information does the GDPR apply to?

Personal data

The GDPR applies to ‘personal data’ meaning any information relating to a living and identifiable person who can be directly or indirectly identified in particular by reference to an identifier and other information in the possession of the controller (ie in combination).

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, email address and IP address reflecting changes in technology and the way organisations collect information about people.

The GDPR applies to both automated personal data and to manual filing systems where personal data are structured and accessible according to specific criteria. This could include chronologically or alphabetically ordered sets of manual records containing personal data (as has always been the case under the DPA).

Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular data subject.

Sensitive personal data

The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).

The special categories specifically include the racial or ethnic origin of the data subject, political opinions, religious beliefs or philosophical beliefs, trade union membership, genetic data, and biometric data where processed to uniquely identify an individual, physical or mental health or condition, sexual life or sexual orientation and  personal data relating to criminal convictions.

The processing of personal data relating to criminal convictions and offences has been specifically separate out from the special categories of data. Due to the high level of sensitivity of these data, in contrast to special categories of data, under Article 9(2) of the GDPR, there are no exceptional situations of processing that permits controllers to deviate from the requirements under Article 10 of the GDPR. As such the processing of criminal convictions and offences data may only be carried out under the control of official authority and where it is authorised by, in this case, UK law.