What Counts as Personal Data Under UK GDPR?

The legal definition, in plain terms

The UK GDPR defines personal data as any information relating to an identified or identifiable natural person — in everyday language, a living individual who can be recognised, directly or indirectly, from that information. The phrase "relating to" is deliberately wide: it captures anything that is about you, says something about you, or is used to make a decision about you.

"Identifiable" is the key word. You do not have to be named for information to be personal data. If a piece of information could be linked to you on its own, or pieces could be combined to single you out, it generally falls within the definition. A reference number, an account ID or a description can all count where they point back to a real person.

The right of access and the other rights under the UK GDPR apply to this personal data. So the breadth of the definition is not academic — it shapes exactly what you can ask an organisation about when you exercise your own rights.

The obvious identifiers

Some information is clearly personal data because it points straight to an individual. These are the details most people picture when they think about their own data, and they are the easiest to recognise in a privacy notice or an access response.

Even within this group, context matters. A single category — say, your postcode — might identify a household rather than a person on its own, but combined with other fields it can narrow down to you specifically. The UK GDPR treats that combined picture as personal data too.

• Your name, whether full, partial, or a username that maps to you.
• Contact details such as email address, phone number, and postal address.
• Identification numbers — national insurance number, passport number, customer or account IDs.
• Financial details like bank account or card information.
• Information about your body, health, or characteristics that describes you.

The surprising ones — and why the definition reaches further

The part that catches many people out is that personal data also includes online identifiers. The UK GDPR specifically mentions that things like IP addresses, cookie identifiers and device IDs can be personal data, because they can be used — alone or with other information held by an organisation — to single out and track a particular person across time or services.

Location data and behavioural records sit in the same place. Where you were, what you looked at, and patterns in how you use a service can all relate to you as an identifiable individual. None of this is about anyone watching you in real time; it is simply that the law recognises how much these everyday digital traces can reveal once they are connected to a person.

Understanding this wider picture is the calm, practical reason it helps to see your own footprint in one place. When you know that an online identifier or a location record counts as your personal data, you know it is something you can ask about, question, and route a request about — entirely on your own terms.

This article is general information and not legal advice. For guidance on a specific situation, consider speaking with a qualified professional or your supervisory authority, the Information Commissioner's Office (ICO).

• Online identifiers — IP addresses, cookie IDs, advertising IDs, and device fingerprints.
• Location data drawn from a device or service.
• Records of your activity, choices, or behaviour over time.
• Pseudonymised data, where a key still exists that could re-link it to you.

Frequently asked questions

Related terms

• Personal data
• GDPR (General Data Protection Regulation)
• Online identifier
• Data controller