In this article, I want to break down what Personal Data is, the types of, considerations and how to best protect yourselves, as individuals from preventing this getting into the wrong hands.
What is it?
Personal data, as per GDPR (UK, EU) is defined as information relating to an Identified or Identifiable natural person (the "data subject"). What does this mean?
Any data held about an individual that can be directly or indirectly identify to them, as a person. This can include pseudonymous data, which is data that has been processed in such a way that it can no longer be attributed to an individual without the use of additional resources/ information.
Pseudonymised data is still personal data under GDPR because re-identification is possible, even if unlikely. This is strictly different compared to anonymised data, where an individual cannot be identified by the data or information collected.
The Types of Personal Data
- Names and Surnames
- Home Addresses
- Email Addresses
- Identification card numbers
- Drivers License, Passport number, etc.
- IP addresses
- Cookie IDs
- Advertising identifiers on mobile phones
- Medical data or other information held by a hospital or doctor that uniquely identifies a person.
Where This Matters
There are 2 primary cases where personal data matters.
- You as a consumer.
- You as an employee, working with other businesses/ organisations.
Personal Data in the Consumer Context
First off, let's give some examples;
- A customer's name and email when signing up for a newsletter.
- A user's IP address and location when visiting a website/ online store.
- A buyer's shipping address and purchase history.
GDPR Considerations with Personal Data in the Consumer Space
- Lawful Basis Required: A business/ organisation must have a clear legal basis (e.g. consent, contract, legitimate interest) for collecting and processing data.
- Data Subject Rights: Consumers/ Individuals have the full set of rights under GDPR, including the right to access, erase, rectify, or object to processing.
- Stricter Protection: Especially for sensitive data (e.g. health, financial, biometric data), higher standards apply.
- Marketing Rules: Explicit consent is usually required for marketing communications unless "soft opt-in" conditions apply.
Sharing of Personal Data in the Consumer Space
- Sharing consumer data with third parties (e.g. advertising platforms, analytics services) requires transparency and agreements (e.g. Data Processing Agreements).
- If the data is shared internationally, appropriate safeguards must be in place.
Personal Data in the Business (B2B) Context
Again, let's run through some examples;
- A sales contact’s name, phone number, and company email
- An IT manager’s contact details provided for system onboarding
- A legal representative’s name in a contract
GDPR Considerations with Personal Data in the Business Space
- Still Personal Data: Even if it’s “just a work email,” it’s still personal data if it identifies a person (e.g.
[email protected]). - Lawful Basis: Often justified under legitimate interest (e.g. to communicate with a business partner) or performance of a contract.
- Lower Risk Profile: The data is less sensitive than consumer data and used in a clearly defined business context.
- Transparency Still Required: You still need to inform individuals about how their data will be used, typically via privacy notices or contracts.
Sharing of Personal Data in the Business Space
Sharing B2B contact details with relevant third parties (e.g. subcontractors, SaaS providers) is permitted, but must follow GDPR guidelines/ principles:
- Must have clear purpose
- Data minimisation
- Appropriate security measures
Consent is not typically required for business-related communication (e.g. sales follow-ups, account management), but opt-outs must be respected.
Personal Data going AWOL
There was a recent data breach within Coinbase, which is America's largest cryptocurrency exchange. This breach detailed information such;
- Account balances
- Identification images (scans of drivers licenses, passports)
- Phone numbers
- Home addresses
- Partially hidden bank details.
One of the big ones in that list is Identification images. Cryptocurrency exchanges such as Coinbase need to adhere to certain laws and regulations surrounding individuals accounts, typically around KYC checks.
A KYC check is where you provide your identification images, such as passports or driver's licence, and it is then Coinbase's responsibility to mitigate risk and minimise any form of data loss when and if a breach occurs. Sadly, in the event of a breach and access to this data is obtained, you could face;
- Identity theft
- Sim Swapping attacks
- Phishing scams
- and more.
In this instance, investigations are continuing, so no further comment can be made.
Prevent your Data getting into the Wrong Hands
While regulations like GDPR offer strong protections, the best defense starts with being selective about what data you share and who you share it with. Before handing over your personal details, especially identification documents, payment info, or addresses, take a moment to verify the legitimacy and reputation of the company or service. Look for signs like;
- Valid privacy policy
- Secure website (HTTPS)
- Transparent data practices.
If something feels off or too invasive, trust your instincts and walk away.
Where possible, use alternative services that prioritize privacy. For example, consider using email aliases (e.g. through services like SimpleLogin or ProtonMail), payment intermediaries like Apple Pay or PayPal, or search engines and browsers that don’t track you, such as DuckDuckGo or Firefox with privacy extensions. Many companies offer guest checkout options, use them to avoid creating accounts unnecessarily.
A few tips to help you stay in control:
- Only provide the minimum data necessary to access a service
- Enable multi-factor authentication wherever possible
- Regularly review and delete old accounts you no longer use
- Avoid using work or primary emails to sign up for casual services
- Periodically search your name online to see what’s publicly visible
Staying informed and cautious won’t eliminate all risks, but it significantly reduces the chance of your data falling into the wrong hands.