Having trouble watching this video? Click here if the video isn't loading.
Show full transcript for Data Subject and Personal Data under GDPR video

A data subject is a living person who can now be identified directly or indirectly by reference to an identifier. For example, name, ID number or online identifier. This has been expanded to allow for advances in technology.

An online identifier could be an IP address, cookie identifiers, a radio frequency identification (RFID) tag or MAC address. When
these online identifiers are combined with unique identifiers and other information received by servers, they may be used to create profiles of individuals and identify them.

Personal data under GDPR is any information relating to an identified or identifiable person. This includes their name, address, posts on social networking sites, a photo, email address, medical information, bank details, online identifier or a computer IP address.
If you can identify an individual using only the data you are processing, the information may be personal data. In many cases, it will be clear that the person can be clearly identified. For example, if you have their name and address or their corporate email address that includes their first and last name, then they are clearly identifiable. More information about identifying individuals is available on the information commissioners website.

Sensitive personal data, under GDPR, includes racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation and preferences, trade union memberships and information relating to their medical conditions or health. Personal data can include information relating to previous criminal convictions and offences, which also require a higher level of protection.

So what does Processing mean under GDPR?

Processing means anything you do with personal data, whether manual or automated, including collecting the data, storing it and deleting it. Even if you store and do nothing with the data this is still classified as processing under GDPR.