Handling personal data within GDPR

Tue 21st Jan 2025

Frequently, employers receive Data Subject Access Requests (DSAR) from their employees or former employees. These are requests for information about personal data the organisation is processing on the individual. Whilst individuals are entitled to their personal data, organisations need to consider what is “personal data” and the appropriate measures organisations must adopt when processing individuals’ personal data.

The UK GDPR governs the processing of personal data belonging to “data subjects,” who are identified or identifiable natural persons.

Considering the legal definitions 

(i) “Personal data”

In the first instance, organisations should consider the definition of “personal data” which is defined as "any information relating to an identified or identifiable natural person” (i.e. the data subject).

The legal definition encompasses various data types, including electronic and hard copies that can either directly or indirectly identify an individual within the data source.

Examples of “personal data” include:

  • An individual’s name, address, phone number or email address.
  • An identification number e.g. social security number, passport number, or driver’s license number.
  • Location data e.g. IP address or GPS coordinator.
  • An online identifier.
  • Biometric data e.g. fingerprints, facial recognition, or DNA.
  • Genetic data.
  • Political opinions, religious beliefs, or membership in trade unions.

Anonymising the data should be considered when employees make DSARs to ensure that the data is being processed securely and, where appropriate, the personal data of other individuals cannot be identified.

If there is uncertainty about whether information is personal data, the ICO recommends treating the information as personal data and that organisations:

  • Keep the data secure.
  • Protect the data from inappropriate disclosure.
  • Are open about how the data is collected; and
  • ensure any processing of the data is justified.

(ii) “Identifiable living individual”

The Data Protection Act 2018 (DPA 2018) expands on the definition of an "identifiable living individual", meaning a living person who can be identified directly or indirectly by reference to:

  • An identifier e.g. a name, an identification number, location data or an online identifier; or
  • One or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

If an individual can be identified solely from the information in an organisation's possession, it is considered that they are directly identified, or identifiable.

What is the effect of non-compliance with GDPR?

The ICO has a range of enforcement powers to take action however if there are breaches of compliance with the data protection law in the UK. These include monetary penalties, enforcement notices, prosecution, reprimands, audits, and investigations.

For serious breaches of the UK GDPR, the ICO also has the power to issue fines of up to £17.5 million or 4% of a company’s annual worldwide turnover, whichever is higher.

How we can help

Organisations must be able to demonstrate they are GDPR compliant, which means keeping up-to-date records of the data processing activities you are conducting and noting down the policies you have in place to enable you to follow the rules. If you need any assistance with this, please get in touch.

Contact Chris Cook

Use this form to contact Chris Cook directly with details of your enquiry. It costs nothing to make an enquiry and it is entirely confidential.

Alternatively, you can email chris.cook@salaw.com or call 01727 798089.

See our privacy notice to find out how we use and protect your data.

Name & Email
Message
Read our latest views & insight about the GDPR
Read all GDPR related views & insights
SA Law Red arrow neon light image
Views & Insights
Government Response to Data Protection Fee Regime Updates

The Information Commissioner’s Office (ICO) is the regulator of data protection and other information rights legislation and is sponsored by the Department…

Read More
GDPR Numbers Image SA Law
Views & Insights
The Future of Data Protection in the UK

'UK GDPR' - What is the Data Reform Bill?

Read More
SA Law Red arrow neon light image
Data Protection and workplace coronavirus testing

Managing the data protection challenges of workplace coronavirus testing

Read More
GDPR Numbers Image SA Law
Views & Insights
EU-US Privacy Shield declared invalid

The European Court of Justice (ECJ) invalidated the EU-US Privacy Shield as an appropriate mechanism to meet the GDPR’s cross-border personal data transfer…

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR: two years on

Chris Cook examines a recent report from the European Commissions review of the GDPR, two years on.

Read More
GDPR Numbers Image SA Law
Views & Insights
A new age: working from home and GDPR

What GDPR issues may arise from working from home and what you should do to reduce risk and stay compliant.

Read More
SA Law Red arrow neon light image
Data protection and the coronavirus pandemic

Good news: The ICO provides clarity on common areas of data concerns during the unprecedented coronavirus pandemic.

Read More
SA Law Red arrow neon light image
Views & Insights
Data protection and school photographs

ICO shares guidance following two schools being reprimanded for distributing photographs of pupils without parents’ consent.

Read More
Read all GDPR related views & insights

© SA LAW 2025

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.