Extent of the GDPR

The GDPR will apply to the processing of personal data, as under the DPA. The new definition of personal data, however, specifically includes information such as ID numbers and IP addresses that can be used to identify a person online. In practice, any data about a living person who can be identified from the data available (or potentially available) will count as personal data. This will include reversibly anonymised (‘pseudonymised’) data.

Stronger safeguards and requirements will be required for sensitive personal data (referred to as ‘special categories of data’ under the GDPR). This refers to data falling under the following categories (the last two of which were not included in the DPA):

Personal data falling under these categories can be processed only under specific circumstances, which are described in Article 9(2) of the GDPR.

Personal data relating to criminal convictions and offences are not included as special categories of data, but there are similar extra safeguards applied to processing them.

Also see the ICO’s Introduction to the GDPR, and Articles 4(1), 9 and 10 of the GDPR.