Short answer: Personal data includes both information that can directly or indirectly identify a person – also known as PII (e.g. name, email, date of birth) – as well as sensitive personal data (e.g. health information, religion or biometric data). Both types are protected under the GDPR, but sensitive data is subject to even stricter requirements.
What is personal data?
When we talk about personal data, we typically distinguish between two main categories:
-
PII (Personally Identifiable Information)
-
Sensitive personal data
PII refers to information that can identify an individual directly or indirectly – such as a name, address, date of birth, email or IP address.
Sensitive personal data is a special category that requires additional protection. This includes data related to health, race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric information, and sexual orientation. Regardless of type, it’s crucial to understand what kind of data you’re dealing with – as the legal obligations around processing and protection depend on exactly that.
What is not personal data?
Not all information associated with a person qualifies as personal data. For information to be considered personal, it must be able to identify someone, either directly or indirectly. Examples of information that typically do not qualify as personal data include:
- Anonymous information
-
Company information
-
Publicly available information
Studies show that almost 50% of UK companies have experienced a cyber attack
- www.gov.uk
How to protect personal data
Many countries have legislation that protects personal information. In the EU, for example, there is the General Data Protection Regulation (GDPR), which regulates the processing of personal information within the EU. The GDPR stipulates, among other things, that personal data must be processed in a fair and transparent manner and that it must only be used for specific purposes to which the registered person has given consent. The GDPR also requires personal information to be protected against unauthorised access, accidental or unlawful destruction, loss or alteration.
Other countries have their own privacy laws. In the United States, for example, there is the California Consumer Privacy Act (CCPA), which went into effect in 2020. The CCPA gives California citizens the right to know what personal information companies collect about them and to demand that their information be deleted. The CCPA also requires businesses to protect personal information from unauthorised access, accidental or unlawful destruction, loss or alteration.
Insight into personal data
As an individual, you have the right to gain insight into the personal data that processors have registered about you. This applies to companies, public authorities and organisations. You can ask for insight into your personal information by contacting the company or authority that you believe has registered the information. They must then give you access to the information and tell you where it comes from, what it is used for and who has access to it.
When can you have your personal data deleted?
You have the right to have your personal information deleted if it is no longer necessary for the purpose for which it was collected. In addition, you also have the right to have your personal information deleted if the processing of the information is illegal or in breach of the General Data Protection Regulation (GDPR).
Stop the GDPR monster before it gets its hold of your personal data
Personal information on the web
With the increasing use of the internet and social media, it has become even more important to protect an individual’s data online. When using the Internet and social media, you may be asked to share personal information, e.g. name, address, date of birth, telephone number and e-mail address. This information may be used by companies and organisations to target their marketing or to collect information about you.
When sharing personal information online, it is important to be aware that the information may be seen by many people. It is also important to ensure that websites and social media that you use protect your personal information using security measures such as SSL encryption and two-factor authentication.
Need help managing personal data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
Is personal data sensitive?
Not all personal data is sensitive – but all must be handled responsibly. Information such as name, email address, and postal address is known as PII (Personally Identifiable Information) and is considered standard personal data under the GDPR. While not classified as sensitive, it still requires a lawful basis for processing and appropriate protection.
Sensitive personal data, on the other hand, is a special category that reveals more private or vulnerable aspects of an individual. Because this type of data can be misused to harm or discriminate, it is subject to stricter rules. As a general rule, it may only be processed with explicit consent or under clearly defined legal exceptions.
FAQ about personal data
1. How do we know which personal data is PII and which is sensitive personal data?
PII refers to data that already identifies you – like your name, address, or email. Sensitive data goes further and reveals vulnerable aspects – such as health, religion, ethnicity, or biometric information.
2. Why are some types of personal data subject to stricter rules?
Because they carry greater risk if misused – such as discrimination, identity theft, or violation of privacy. That’s why you must always have explicit consent or a clear legal basis to process them.
3. Do we need documentation of the personal data we process?
Yes – under GDPR, you must be able to demonstrate lawful data processing. This includes activity logs, appropriate policies, risk assessments, and how you uphold data subject rights.
Remember this when you process personal information
As a company, you are responsible for protecting the personal data you collect and store. It’s not just about legal compliance – it’s about trust. When data is used responsibly and only for its intended purpose, you reduce the risk of misuse and data breaches. If you need help managing personal data correctly, you can read more about our tools here:
DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
