Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.

Data Protection and GDPR: Understanding Data Subjects and Processing


A data subject refers to a living individual who can be directly or indirectly identified by specific information. This definition has evolved to accommodate technological advancements.

Identifying Data Subjects

An online identifier, such as an IP address, cookie identifiers, RFID tags, or MAC addresses, when combined with unique identifiers and other server-received information, can create individual profiles and facilitate identification.

Personal Data under GDPR

Under GDPR, personal data encompasses any information pertaining to an identified or identifiable person. This includes their name, address, social media posts, photographs, email addresses, medical records, banking details, online identifiers, or computer IP addresses.

If the data being processed can uniquely identify an individual, it qualifies as personal data. This is often evident when possessing their name and address, corporate email address containing their full name, or similar identifying information.

Further guidance on identifying individuals is available on the Information Commissioner's website.

Sensitive Personal Data

GDPR also recognizes sensitive personal data, which includes racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, trade union memberships, medical conditions, and information regarding criminal convictions or offences. This category requires heightened protection.

Understanding Processing under GDPR

Processing, as defined under GDPR, encompasses any action performed on personal data, whether manual or automated. This includes data collection, storage, and deletion. Merely storing data without active manipulation still qualifies as processing under GDPR regulations.