Your personal data explained
- The different types of personal data
- Your GDPR data rights
- How to uncover your digital footprint
- How to improve your data privacy today
Examples of personal data
Name and date of birth
Mobile phone GPS
Racial or ethnic origin
What is personal data?
Legally, personal data is any information that could be used to identify you, directly or indirectly.
- Name and date of birth
- Contact details
- Postal address
- IP address and cookie identifiers
- ID numbers
- Mobile phone GPS
- Bank details
To get technical, it's any information that’s specific to a living person’s 'physical, physiological, genetic, mental, economic, cultural or social identity'.
As you can see from the table above, this can range from your name and email address, to your medical history.
Some of this is classed as sensitive data, depending on how much it might impact you if it was shared without your consent.
What is sensitive personal data?
Sensitive personal data, or 'special category data' is information that can identify you and could potentially be used to discriminate against you.
- Racial or ethnic origin
- Political opinions, religious or philosophical beliefs
- Trade-union membership
- Genetic data, such as blood type, gender and any other genetic characteristics
- Biometric data, such as fingerprints and facial images
- Health data
- A person’s sexual life or sexual orientation
Although there are more rules and protections for sensitive personal data, there isn't much to stop advertisers figuring some of it out indirectly.
For example, an advertiser may see that you search for 'symptoms of depression' and 'how to cope with depression' and deduce that you are likely depressed. You can read more about how your mental health data might be being sold to advertisers here.
Thanks to GDPR law, you have a lot of rights over your own personal data. At the heart of them is that you can ask any company what they know about you, and tell them to delete it.
What is not personal data?
There’s actually no definitive list of what is and isn’t personal data, but in general, any information that can’t be traced back to a living person isn’t considered personal data. It all comes down to context.
For example, a person’s name doesn’t always count as personal data because there could be lots of people with the name ‘John Smith’. However, if a name is combined with other information, like an address, online activity or date of birth, then it's usually enough to clearly identify just one individual. In that context, a person’s name would count as personal data.
Some examples of items that aren't considered to be personal data:
- A company registration number
- An email address such as firstname.lastname@example.org
- Anonymised data
'GDPR' stands for General Data Protection Regulation, and is a law that both gives people more control over their own personal data, and limits what companies can do with it.
What's GDPR and what rights does it give me?
Introduced in 2017, GDPR is a landmark law that gives individuals far more rights over their information than ever before.
There are eight GDPR rights:
- Right of access: you can request any personal information from as many companies as you’d like.
- Right to rectify: you can ask companies to update outdated information or amend incomplete details.
- Right to erasure: you can tell companies to delete any data you want to remove.
- Right to restrict: you can limit the processing of your information.
- Right to object: you can prevent an organisation from processing your information.
- Right to portability: you can request your data to be transferred from one organisation to another, at any time.
- Right to transparency: you have the right to be informed on the collection and use of your personal data.
- Rights of automated decision making: This puts safeguards in place to protect you from potentially damaging decisions being made about your personal data without human intervention.
Is the Data Protection Act different to GDPR?
The Data Protection Act (2018) is the UK's tailored version of GDPR. You can read about the key differences between the two in our blog, however the eight central rights remain the same. This means that you have the right to ask any company what they know about you, and tell them to delete it if you want to.
How long can personal data be stored for?
There’s no legal limit for keeping personal data. Under GDPR law, data should simply not be stored for any longer than it’s needed.
The guidelines are vague, and how long companies can keep your data for entirely depends on what your data is being used for. For example, since an employee can claim breach of contract within six years of the alleged breach, it’s reasonable for a company to store performance and employment contract data for six years after an employee leaves.
In comparison, a reasonable length of time for a company to store an unsuccessful CV is six months because that’s the window of time in which an applicant can file a discrimination claim.
Remember, a company should always be able to justify the time-period chosen to store personal data for.
Can I ask a company to delete my data?
Yes. Current legislation, such as GDPR and The Data Protection Act, fundamentally exists to protect the rights of individuals. That means you as a consumer.
You can ask any company to delete your personal data for free, and they have to reply within 30 days by law.
You can use your rights to uncover your digital footprint, and take action.
How can I clean up my digital footprint?
Cleaning up your digital footprint takes time, and it's important to note that because so many companies share information with third parties, it's impossible to get all of it.
However, you can remove a significant amount of information from companies for free and in one go through Rightly. Afterwards, you can take steps to share less information online (tips below) and ensure that what happens to your data is up to you.
How can I protect my personal data?
While the responsibility lies with the company to protect any data they're holding on you, there are some steps that you can take to prevent data breaches affecting you, as well as protecting your personal information more broadly.
13 dos and don'ts to help you protect your personal data moving forwards:
✔️ DO use multiple email addresses
✔️ DO keep passwords private
❌ DON'T share your personal information on social media
✔️ DO avoid scam emails or phishing.
✔️ DO limit the amount of bank cards, ID and National Insurance cards you take out with you
✔️ DO use anti virus, anti spy and firewall softwares
❌ DON'T use public wifi if you can avoid it
✔️ DO read company privacy policies before entering your details (see our blog)
✔️ Turn off your GPS
✔️ Use a VPN
✔️ Encrypt your personal data
✔️ Update your cookies
✔️ Use a secure browser such as DuckDuckGo
A data breach is a loss of information by an organisation. This can range from losing the credit card details of their customers to the intimate details stored on a women's health app. Either way, they compromise your privacy and security.
What do I do if my data has been compromised?
First of all, we’re sorry that this has happened. We know it can be distressing and hope that we can help.
Here are a few immediate steps you can take:
1. Immediately change all of your passwords
2️. Keep a close eye on your bank accounts and credit reports
3️. Be on alert for scams. Note anybody contacting you asking for your details
4️. Make a complaint to the company who lost your data
5️. Make a complaint to the Information Commissioner’s Office
If you want to delete your data from the company that’s been breached, you can send a full deletion request through our platform, for free.
We hope this has helped
It's a big topic but in essence, any information that can directly or indirectly identify you is your personal data.
Still have questions? Contact our friendly support team, we'd love to hear from you.
Personal data FAQs
Personal data can be used in many different ways, so this list is by no means exhaustive, but here are some examples of what your personal data may be being used for:
- The day-to-day functioning of your life: the saving of log-in details, shopping baskets, and payment details all rely on the saving of your data to use at a later date, and help your online experience run smoothly. Data can also be used to secure other data, for example, your phone can use your fingerprint or face ID to authorize access to your phone.
- Academic research: Researchers in any academic discipline can ‘study social media posts and other user-generated data’ to learn more about people. As Seth Stephens-Davidowitz’s research revealed, people’s thoughts and behaviour are usually better gathered from sites like Google than traditional surveys. For example, he found that less than 20% of people admit they watch porn, ‘but there are more Google searches for “porn” than “weather.”'
- Social media: information about when you're typically online, where you’ve been, who your friends are and have been, is all stored. This data can be used to help you connect with your friends and followers. Most of this is not deleted, and some of this is used to market to you more effectively, too.
- Employer activities: employers store and analyse personal data to different extents, with many using it to make changes to the work environment. Employers may also analyse your personal data in the hiring process. To give you an idea, a survey by CareerBuilder in 2018 revealed that over 50% of employers didn’t hire a candidate because of their social media content.
- Tailoring the consumer experience: businesses can analyze customer behaviour and adjust their goods and services to better suit them. For instance, Instagram adjusted their algorithm in 2018 and switched from showing users their news feed in chronological order, to one based on the accounts they most interacted with and who’s content they were most likely to find engaging. This data is also passed onto advertisers, who use it for strategic targeting.
- Making money: Data can be monetised. This is because advertisers can use data to create ‘data profiles’ on individuals, containing things like their spending habits, likes, and even their current mood, to target them with relevant ads. Advertisers can also bid for personal data in real time. Data brokers, and any company that collects and sells customer data, can profit greatly because of this industry. Personal data is very valuable: according to the Financial Times it’s a $76bn industry estimated to be worth $200bn by 2022.
Here’s an example to give you an idea of how a shoe retail company could use personal data:
- Name: to identify you
- Location: where you are likely to shop
- Occupation: the kind of clothing required
- Income level: what you are likely to spend
- Spending habits: what you are likely to buy
- Subscriptions: to determine related likes and wants
While some uses of data are purely for the benefit of the consumer, such as tailored advertisements that have been consented to, there are other practices that are legal but tend to alarm consumers, such as data profiling. To read more about that, see our blog.
A subject access request is a written request that you can send to any company and find out what information they hold about you. They have to reply within 30 days by law.
It can be difficult to know if your personal data has been breached, especially if some data breaches aren’t reported on. Sometimes breaches aren't reported because the company isn't notable enough to get press coverage, sometimes the company themselves hasn't reported it to avoid fines and negative press coverage.
Luckily, there are some ways you can check for data breaches yourself. We recommend:
- Regularly checking the site Have I Been Pwned. Just type in your email address, and it will show you if there have been any data breaches related to that email address.
- Watching the news to keep up with any new big data breaches. You can then use our platform to tell the breached company to delete your data.