What Data Does The GDPR Apply To?

Broadly, the General Data Protection Regulation (GDPR) applies to data about an individual, which it calls 'Personal Data'. As well as this personal data, the regulation also identifies a number of specific areas of personal data for further consideration.

Personal data

The GDPR primarily applies to personal data, which it defines in A4.1 as:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

That's a hugely broad set of data and it's much more than the obvious things like address, gender, date of birth, etc. In short, it covers pretty much any data about a person.

This personal data is not just data about your individual customers, this is any individual's personal data that's collected or processed anywhere in your business, e.g.

  • Individual customers
  • Individuals working for customer companies
  • Individuals working for your suppliers and partner organisations
  • Your own staff (e.g. HR data)

Pseudonymised data, i.e. data that has had obvious personal identifiers (e.g. first name and last name) can also come under the GDPR depending on how hard it is to infer the identity of an individual from that data.

For example, removing the name of a person from a customer record might not be enough if their job title then uniquely identified them by virtue of them being the only person to have been employed in that position at that customer company at that time.

Sensitive personal data

Article 9 of the GDPR identifies certain categories of Personal Data that should be treated with additional care. It issues a blanket ban on the processing of these types of data as follows:

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

The above does not apply however, if the individual has specifically given permission for the processing to occur, or under a few other very specific circumstances.

Data relating to criminal convictions

Article 10 introduces separate , specific rules for this type of data. Were focussing on small and medium sized organisations (i.e. SMEs) for this guide, so we're not going to look at this area further, but there's lots of information in Article 10.

Data about children

The GDPR makes special provisions for the processing of children's data. Again, that's not something we imagine will affect too many SMEs, but there's lots information about this in the ICO documentation.

Important: This site describes our current understanding of the General Data Protection Regulation (GDPR).

We are not lawyers, always seek specialist GDPR advice for your organisation.

About Redox Software

At Redox we specialise in producing bespoke software written especially for your business. We can write you a system that can be used on your computer, via the web or on your tablet/phone – or any combination of those - either now or in the future.

Latest Redox Posts


Our Contact Details

The Colin Sanders Innovation Centre
Mewburn Road, Banbury
Oxfordshire. OX16 9PA

+44 (0)1295 817646