Understanding what counts as personal data and why it matters

Personal data sits at the heart of the UK GDPR. It is any information that can identify a living person, directly or indirectly. Knowing what counts as personal data helps prevent mistakes that could lead to breaches or complaints.

If you remember nothing else, remember this: personal data is any detail that can point back to a person, even when that link is not obvious.

1. What is personal data

Personal data includes the information you might expect, such as names, addresses, phone numbers, or email addresses. It also includes less obvious details like location data, ID numbers, IP addresses, and photos. Even opinions or notes written about someone can count as personal data if the person could be recognised from them.

The UK GDPR defines personal data as any information relating to an identified or identifiable person. If the person can be picked out directly or by combining bits of data, then it qualifies.

Special category data is personal data that needs extra care because of the risk if it carries of misused. It covers information about health, racial or ethnic origin, religion, political opinions, trade union membership, genetics, biometrics, or sexual life.

2. Who is responsible for protecting it

There are two main roles under the UK GDPR:

• Controller: decides why and how personal data is used.
• Processor: handles personal data on behalf of the controller, following their instructions.

A business might be both in different situations. For example, it is a controller for its employees’ records but a processor if it handles data for a client. Both roles share the responsibility for ensuring that data is processed lawfully, fairly, and securely.

3. Why it matters in everyday work

Most people in an organisation handle personal data without realising it. Sending an email, saving a contact list, or updating HR files all count as processing. Everyday activities can create privacy risks if not done carefully.

Common mistakes include:

• Sending an email to the wrong person
• Leaving paperwork on a desk or in a printer
• Sharing passwords or logins
• Using personal devices for work files
• Keeping data that is no longer needed

A single small error can result in embarrassment, lost trust, or regulatory action.

4. The seven principles of data protection

Every action involving personal data must follow the seven UK GDPR principles:

1. Lawfulness, fairness, transparency – be open and honest about how you use data.
2. Purpose limitation – only collect data for specific, legitimate reasons.
3. Data minimisation – gather only what is needed.
4. Accuracy – keep data up to date.
5. Storage limitation – do not keep data longer than required.
6. Integrity and confidentiality – keep it secure.
7. Accountability – be able to show how you comply.

These principles are not just for lawyers. They are practical habits that reduce risk and build trust.

5. Building good habits

The best protection is awareness. Some simple habits make a huge difference:

• Check email addresses carefully before sending.
• Use BCC when emailing groups.
• Clear your desk and lock your screen when leaving your workspace.
• Keep devices updated and use strong passwords.
• Delete or archive data when it is no longer needed.
• Report mistakes quickly to your privacy or IT team.

Reporting early is better than hiding an error.

6. Monday morning takeaways

If you handle personal data:

1. Treat it with care at all times.
2. Only collect what you need.
3. Keep it secure and up to date.
4. Delete it when it is no longer required.
5. Report any incident as soon as possible.

If you manage a team:

1. Provide regular data protection training.
2. Lead by example in how you handle information.
3. Create a culture where people ask questions.
4. Review what personal data your team actually needs.

Quick summary

In plain terms

Personal data is anything that can point back to a person. It does not matter if it feels harmless, if it can identify someone, it needs protecting. The UK GDPR is about fairness, respect, and security. Handling personal data properly is not about red tape, it is about trust.