When people hear “GDPR”, they often think it is only about names and email addresses. In reality, GDPR personal data is a much wider category, and the definition is the starting point for almost every compliance decision: notices, lawful bases, security controls, retention, breach reporting, and data subject rights.
If your organisation in Jamaica serves EU/UK customers, markets to people in the EU/EEA, runs an app or website with EU visitors, or provides services to EU-based companies, the GDPR’s rules on personal data can quickly become relevant.
The GDPR definition of personal data (in plain English)
Under Article 4(1) of the GDPR, personal data means any information relating to an identified or identifiable natural person (a “data subject”). The official text is available in the GDPR itself.
There are three key ideas inside that definition:
1) “Any information” is broader than you think
Personal data is not limited to “identity documents”. It can include:
A single data point (like an IP address).
A combination of data points (like job title + employer + location).
Inferences and profiles (like “likely to be pregnant” or “interested in luxury travel”).
If the information is about a person in some way, it can qualify.
2) “Relating to” covers data used to treat someone differently
Information “relates to” a person when it is about them, linked to them, or used to make decisions about them. For example:
A customer score (fraud risk, creditworthiness, churn likelihood) relates to the person even if it is not a “name”.
A unique customer ID relates to the person if it is used to recognise them and tailor services.
3) “Identified or identifiable” depends on reasonable means
A person is identified when you know exactly who they are (for example, “Andre Brown, passport number X”).
A person is identifiable when you could identify them, directly or indirectly, using “reasonable means”. The GDPR’s Recital 26 explains this “reasonable likelihood” approach, including time, cost, and available technology.
In practice, that means:
If someone can be singled out within your systems (even if you do not know their name), the data may still be personal data.
If a third party could reasonably link it back to a person (for example, through matching or lookup tables), the data may still be personal data.
What counts as personal data? Practical examples (including grey areas)
A useful way to think about personal data is: Could this information identify someone, or be used to distinguish them, or be connected to them in a meaningful way?
Obvious examples (almost always personal data)
These are typically personal data in nearly every context:
Full name
Home address
Email address that identifies a person (for example, firstname.lastname@company.com)
Telephone number
Government-issued identifiers (passport number, national ID)
Photograph or video where a person is recognisable
Bank account details linked to an individual
Online identifiers (often personal data)
Many organisations underestimate “technical” identifiers. Depending on context, these often qualify as personal data:
IP addresses
Device identifiers (mobile advertising IDs, device IDs)
Cookie IDs and similar tracking identifiers
Precise location data (GPS)
Even when you do not know the person’s real-world name, you may still be able to single them out and build a profile, which is often enough for GDPR purposes.
Work information and business contact details
A common question is whether business contact data is personal data.
A corporate entity’s data (for example, a company’s registered office address) is not personal data because the GDPR protects natural persons.
An individual’s business contact details can be personal data if it relates to an identifiable person (for example, “General Counsel, jane.smith@company.com”).
The compliance impact varies by use case, but the label “business” does not automatically remove data from GDPR scope.
Pseudonymous data vs anonymous data (a critical distinction)
Businesses frequently claim “we anonymised it” when they actually pseudonymised it.
Pseudonymised data is data where direct identifiers are replaced (for example, “Customer 837491”), but re-identification is still possible with additional information. Under GDPR, pseudonymised data is generally still personal data.
Anonymous data is data that cannot be used to identify a person by any party using reasonably likely means. Truly anonymous data falls outside GDPR.
If you keep a mapping table, encryption key, or any other means to reverse the process, you are usually dealing with pseudonymised, not anonymous, data.
Household names are not required: “identifiable” includes indirect identification
A dataset can be personal data even if it does not contain names, if it can be linked back to a person. Examples:
“Female, 38, lives in a specific small community, works at a named workplace”
“Only employee in a department with a particular job title”
Re-identification risk is especially relevant for small organisations, niche communities, and small island contexts, where combinations of attributes can narrow down individuals quickly.
Special category data (sensitive data) under GDPR Article 9
Some personal data is treated as more sensitive. Article 9 of the GDPR restricts processing of “special categories of personal data”, including:
Health data
Biometric data used for identification
Genetic data
Racial or ethnic origin
Religious or philosophical beliefs
Trade union membership
Sex life or sexual orientation
Political opinions
This matters because special category data generally requires an Article 9 condition (not just an Article 6 lawful basis), plus tighter safeguards.
Criminal offence data (Article 10)
Information about criminal convictions and offences is handled separately under Article 10 and is subject to additional controls.
A quick “does this look like personal data?” reference table
Use this as a first pass. The real answer can depend on your context and who has access to what.
Data element | Typically personal data under GDPR? | Why it may qualify | Common trap |
Name + surname | Yes | Directly identifies a person | Assuming only “official IDs” count |
Generic email (info@company.com) | Usually no | May not identify a natural person | It can become personal if routed to one person and used as their identifier |
Work email (firstname.lastname@...) | Often yes | Links to an identifiable employee | Treating “business” as automatically exempt |
IP address | Often yes | Can single out a user/device | “We don’t know the name, so it’s not personal data” |
Cookie ID / device ID | Often yes | Enables tracking and profiling | Underestimating online identifiers |
Aggregated statistics (properly anonymised) | No | Not identifiable | Aggregation that is reversible or too granular |
Pseudonymous customer ID | Yes (usually) | Can be linked back via other data | Calling pseudonymisation “anonymisation” |
CCTV footage | Often yes | Recognisable person | Forgetting that video is data too |
Why the definition matters for Jamaican and Caribbean-based organisations
Even if your organisation is based in Jamaica, the GDPR can apply extraterritorially (Article 3) when you:
Offer goods or services to people in the EU/EEA, or
Monitor the behaviour of people in the EU/EEA (for example, tracking across websites/apps)
So the “personal data” question becomes operational for:
Jamaican hotels, travel providers, and tour operators with EU guests
Caribbean e-commerce brands shipping to Europe
BPOs and service providers processing EU customer support data
SaaS platforms with EU subscribers
NGOs and advocacy initiatives collecting supporter and volunteer data
For instance, digital civic engagement projects that gather sign-ups, location, and political views can quickly touch special category data (political opinions). If you are exploring how online participation platforms work, a project like JustSocial.io is a useful example of how civic technology initiatives may handle identity, membership, communications, and community data, all of which can raise GDPR personal data questions depending on audience and reach.
Common misconceptions that create GDPR risk
“If it’s public, it’s not personal data”
Public availability does not remove GDPR protections. A public LinkedIn profile can still be personal data. The key issues become your lawful basis, transparency, and purpose limitation.
“If it’s encrypted, it’s not personal data”
Encryption is a strong security control, but encrypted data can still be personal data if it can be decrypted by you or another party with reasonably likely means.
“We only have analytics, not personal data”
Analytics identifiers can still be personal data if they single out users, especially when combined with other data points.
“It’s just a customer number”
If that number is used to recognise a returning person, link transactions, or make decisions about them, it often relates to an identifiable individual.
A practical 5-question test your team can use
When you are unsure, run through these questions:
Is it about a natural person, directly or indirectly?
Could someone be identified from it, even indirectly (alone or combined with other data)?
Can an individual be singled out within our systems (even without a name)?
Who could reasonably link it to a person (us, vendors, partners), and how?
Does it reveal sensitive information (health, biometrics, political opinions), even by inference?
If you answer “yes” to any of (2) to (5), treat it as personal data until a proper assessment proves otherwise.
What to do next if you discover you process personal data
Once you confirm the information is personal data, the next step is not “panic”, it is governance. In most organisations, the highest-impact actions are:
Map your personal data
Maintain a clear view of:
What data you collect
Why you collect it
Where it is stored (systems, vendors, countries)
Who has access
How long you keep it
This supports GDPR accountability and helps with breach response.
Align each processing activity with a lawful basis
Personal data processing generally needs an Article 6 lawful basis (such as contract necessity, legitimate interests, consent, legal obligation). If special category data is involved, add an Article 9 condition.
Update privacy notices and internal policies
Your notices should reflect what you actually do, in language users can understand. Internally, staff need rules they can follow in real workflows.
Review vendors and cross-border transfers
If personal data goes to service providers, cloud tools, or group companies, you will likely need contracts and transfer assessments.
Frequently Asked Questions
What is the simplest definition of personal data under GDPR? Personal data is any information that relates to an identified or identifiable natural person, including indirect identifiers like online IDs.
Is an IP address personal data under GDPR? Often yes. Even without a name, an IP address can single out a user or be linked to them using reasonably likely means.
Are cookies considered personal data under GDPR? A cookie itself is a small text file, but cookie identifiers and similar tracking IDs often qualify as personal data because they can identify or single out a user.
Is pseudonymised data still personal data? Usually yes. If a person can be re-identified with additional information (like a key or mapping table), pseudonymised data remains personal data.
Is a business email address personal data? It can be. If the email identifies an individual (for example, firstname.lastname@company.com), it often qualifies as personal data.
What is special category data? Special category data is sensitive personal data under GDPR Article 9, such as health information, biometrics used for identification, political opinions, and religious beliefs, and it has stricter processing rules.
Need advice on whether your data is “personal data” under GDPR?
Determining what counts as personal data is the foundation of GDPR compliance, but the real risk (and cost) usually comes from getting the edge cases wrong: online identifiers, analytics, pseudonymised datasets, employee records, and sensitive inferences.
If your organisation operates internationally or handles EU/EEA personal data, consider getting legal guidance tailored to your data flows and business model. Henlin Gibson Henlin is a Jamaica-based international law firm with data privacy and risk expertise. You can learn more at Henlin Gibson.