Personal data sits at the heart of data protection law, but it is a broader category than many founders initially assume. A common misconception is that personal data is limited to obviously sensitive information such as financial records or medical history. In practice, it covers a much wider range of information, and understanding the definition correctly is the starting point for assessing what obligations apply.
Personal data is any information that relates to an identified or identifiable living individual. This includes names, email addresses, phone numbers, and home addresses, but also IP addresses, location data, device identifiers, and any information that could identify someone alone or in combination with other data. Special categories of personal data — such as health information, racial or ethnic origin, and political opinions — carry additional protections under UK GDPR and require a higher standard of justification to process.
Most businesses process personal data even if they do not think of it in those terms — a customer contact list, an email marketing database, or website analytics all involve personal data. Understanding what data you hold and why is the first step in compliance. Our guide to personal data and UK GDPR helps founders identify what they are processing and what that means for their obligations.