The Data (Use and Access) Act (DUAA) became law on 19 June 2025, which may result in changes to GDPR in the coming year (June 2025-26).
UK GDPR is made up of 99 articles, which cover its principles and duties for businesses, including collecting data legally. Article 4 of GDR defines the terms used within the law like ‘consent’ or ‘profiling’, and explains more in-depth about what counts as personal data.
Aside from direct data like names and addresses, there are other personal identifiers such as ID numbers, IP addresses and genetic/health information. That’s why GDPR covers information that both directly and indirectly identities a person.
Key summary:
- Article 4 of GDPR clearly defines what personal data is: Data that directly identifies a person or data which can make them identifiable
- The Article also defines special categories of data including genetic, biometric and health data, and pseudonymisation
- It’s essential that you and your teams know what personal data is and how to protect it, otherwise you could risk financial penalties up to £17.5m or 4% of your annual turnover in the event of a personal data breach.
What personal data is protected under GDPR?
GDPR Article 4 defines personal data as any information that can directly identify a person or data which makes them identifiable. This can include:
- Names
- Identification number
- Location data
- Online identifier i.e. IP address
- Physical, physiological, genetic, mental, economic, cultural or social identity of that person
"Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
– Information Commissioner’s Office (ICO)
What personal data can be used to indirectly identify a person?
Personal data is information that could make a person identifiable and it doesn’t always include direct data such as names. For example, you can’t always identify someone from their name if it’s extremely common ‘John Smith’. But if you combine the name with an IP address, it’s easier to identify them.
Similarly, if you don’t know a person's name, it doesn’t mean you can’t identify them. You might know your neighbour’s address and see them wearing an employer's uniform each day. If you notice a birthday party with banners stating their age, you could guess their date of birth. Bringing this information together – employer, address and date of birth – could then allow you to identify the person.
In some more extreme circumstances, even the first half of someone’s postcode may be an identifier. If it relates to a remote part of the country, where there is only one farmhouse and only one person (the farmer) lives at that farm, someone could indirectly establish the identity of the person, which is why postcodes are considered to be personal data.
What is pseudonymisation in GDPR?
Pseudonymisation involves removing any identifiable data about a person, so they can no longer be identified without extra information. But the added information, which could be used to identify them, should be held separately and be secure.
An example of pseudonymisation is replacing names with an ID number or concealing email addresses.
However, it still counts as personal data under GDPR because it can lead to identification of the person.
Hospitals typically generate an ID number for patients but if their name or health data is attached alongside it, it doesn’t count. On the other hand, a research study could anonymise participants with names such as “Participant 1”, which does count as pseudonymisation – as long as it doesn’t include any other identifiable information.
“…processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
- Information Commissioner's Office (ICO)
What counts as sensitive personal data in GDPR?
There are also special categories of data, which the Information Commissioner’s Office (ICO) states may need a higher level of protection:
- Race
- Ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sex life or sexual orientation
Genetic data
Beyond names and addresses, the regulation also protects genetic data, which includes information about a person's inherited or acquired genetic characteristics, such as those obtained through DNA testing. This could include information from your DNA or results of a paternity test. More companies are now holding genetic data due to the rise in private online testing and ancestry companies.
"Genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question."
- Information Commissioner’s Office (ICO)
Biometric data
Many organisations (including health, police and technology companies) collect biometric data, which is protected by GDPR. This includes:
- Fingerprints
- Facial recognition
- Iris or retina
- Voice patterns
- Gait
For example, the police collect fingerprints of a suspect after arrest, while a technology company collects it to enable fingerprint identification on mobiles or laptops. Biometric data is increasingly being used for security purposes because it’s unique to the person and more secure.
"Biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data."
– Information Commissioner’s Office (ICO)
Health data
Health data is also protected under GDPR and includes information collected on:
- Physical health
- Mental health
- Provision of healthcare services
Beyond health organisations (like the NHS and private care providers including counsellors and physiotherapists), businesses typically collect health data on their employees. This could include any diagnosed conditions, disabilities, workplace accidents, treatment and sick leave, as well as through occupational health.
"Data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. "
– Information Commissioner's Office (OCO)
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have additional free resources such as e-learning modules, microlearning modules, and more.
Explore our collectionWritten by: Martin Schofield
Martin has over two decades of experience at the front-line in compliance, financial crime prevention and data protection, along with a further decade of experience consulting, in-person training and interacting with professionals at hundreds of firms. He is a keen promoter of joined-up thinking in compliance training and management and of creating a culture that gets employees at all levels engaging with the compliance department.
