Personal Data
Definition
Personal data refers to any information relating to an identified or identifiable natural person, often called the data subject. The personal data definition encompasses a wide spectrum of information, ranging from direct identifiers like names, identification numbers, and email addresses to less obvious markers such as location data, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. In the context of PII compliance, information qualifies as personal data if it can be used, either alone or in combination with other data, to single out an individual or link records to a specific data subject identity. This includes behavioral data and profiling data generated through digital interactions. Unlike anonymized data, which is irreversibly stripped of identifiers, personal data remains subject to regulatory protections ensuring its confidentiality, integrity, and availability.
Real-World Examples
Customer Account Records
An online retailer maintains a database containing customer names, shipping addresses, and purchase history. This collection constitutes personal data because the identifiable information allows the retailer to fulfill orders and profile customer preferences. Even if the name is removed, the combination of address and order history could still allow for indirect identification.
Digital Tracking & Profiling
A marketing firm collects IP addresses, device IDs, and browsing habits from website visitors to create user profiles. Although the firm may not know the real names of the visitors, this behavioral data is considered personal data because it distinguishes one user from another and is used to target specific advertisements to a unique data subject identity.
Personal data is any information about an individual who is identifiable by or in relation to such data. This broad personal data meaning includes objective facts (like a tax ID or height) and subjective information (like opinions or performance reviews) that can be linked to a specific natural person.
Direct identification occurs when data points like a full name or passport number immediately reveal who the person is. Indirect identification happens when data—such as a job title, location, or rare combination of attributes—allows a data subject to be distinguished from others without using a direct name tag.
Yes, an IP address is often considered personal data, particularly when it allows a data controller (like an ISP or website operator) to link the device to a specific user account or physical location, thereby making the individual identifiable through online profiling data.
Sensitive personal data is a subset of personal data that requires higher protection due to the risk of significant harm if misused. While definitions vary, it typically includes financial data, health records, biometric templates, genetic information, political opinions, and data revealing religious beliefs or sexual orientation.
Generally, yes. Information like a professional email address (e.g., name.surname@company.com) or a direct business phone number is considered personal data because it relates to a specific individual within an organization, rather than just the generic entity itself.
Data stops being personal data when it is effectively anonymized. Anonymized data has been processed in such a way that the data subject is no longer identifiable, and the process is irreversible. Unlike pseudonymized data, which can be re-linked to an individual, anonymized data falls outside privacy regulations.
Yes, personal data can be public, such as information posted by the individual on social media or listed in public registers. However, exemption rules often apply; for instance, data made publicly available by the data subject themselves may be exempt from certain processing restrictions, though it remains personal data.
Personal data must be protected using reasonable security safeguards to prevent unauthorized access, disclosure, alteration, or loss. This typically includes technical measures like encryption, strong authentication, least-privilege access controls, logging and monitoring, and secure configuration, plus organizational measures such as staff training, data minimization, and clear retention and deletion rules. For ongoing assurance, WatchDog Security's Posture Management can continuously benchmark cloud and SaaS configurations and flag misconfigurations that could expose personal data, helping teams prioritize remediation.
References & Resources
Crafting & Implementing A Data Management Policy
WatchDog Security
ICO Guidance: What is personal data?
Information Commissioner's Office (UK)
Regulation (EU) 2016/679 (GDPR) — Article 4 (Definitions)
European Union (EUR-Lex)
NIST SP 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
NIST
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
