What Types of Data Are Covered by the General Data Protection Regulation? (2025)

Written by Stuart Snape, who has more than 20 years' experience in the legal sector. During this time, he has helped countless individuals make successful personal data breach claims.

The General Data Protection Regulation (GDPR) governs how organisations, including employers, must handle personal data in the UK and across the European Economic Area (EEA). When a data breach occurs, individuals have the right to take action-particularly if their employer is responsible. This post explains the types of data covered by GDPR and what options are available if your rights are violated.

GDPR, enforced since May 25, 2018, exists to protect personal data, requiring organisations to handle it securely. It aims to give individuals control over their data, holding organisations accountable for breaches. Under GDPR, organisations operating in the EU or offering services to EU residents must comply with its regulations, by processing personal data lawfully, fairly and transparently. This regulation applies to both EU and non-EU businesses involved with EU data subjects.

What constitutes personal data?

Under GDPR, personal data is any information that can directly or indirectly identify an identifiable natural person. This includes names, addresses, identification numbers, and online identifiers like IP addresses. Personal data covers both digital records, such as electronic files, and physical records, such as paper documents. Any organisation handling personal data must follow GDPR rules, regardless of the format of that data.

GDPR distinguishes certain types of personal data as “special category data,” which require extra protection due to their sensitive nature. Special category data includes information about an individual’s:

• Racial or ethnic origin - any data that reveals an individual’s race or ethnicity.
• Political opinions - data that indicates an individual’s political beliefs or affiliations.
• Religious or philosophical beliefs - information related to an individual’s faith or moral views.
• Trade union membership - records of membership in a trade union or similar organisations.
• Health data - any information about an individual’s physical or mental health, including medical records and details of disabilities.
• Sex life and sexual orientation - data regarding an individual’s sexual relationships or orientation.
• Genetic data - data that reveals unique genetic characteristics, often used in medical contexts.
• Biometric data - information, such as fingerprints or facial recognition data, used to identify an individual uniquely.

Special category data is protected more rigorously under GDPR. Organisations must have a lawful basis for processing this type of data, usually with explicit consent from the individual or for specific purposes like employment, social security or legal claims.

Data processed by employers

Employers handle a wide range of personal data about their employees, often including both standard personal data and special category data. Common types of data processed by employers include:

• Employee records - this data typically includes names, addresses, contact details and national insurance numbers.
• Payroll information - employers process data related to salaries, bank details, tax information and pension contributions.
• Health and medical records - employers may hold health information for purposes such as sick leave management, workplace adjustments, and occupational health assessments.
• Performance evaluations - many employers keep records of employee performance, disciplinary actions and any relevant training certifications.
• Attendance records - employers track data on employee attendance, holidays and absences, including parental leave and other types of authorised leave.

Under GDPR, employers must implement appropriate safeguards to protect this data. Failing to do so can lead to data breaches, exposing individuals to risks like identity theft or discrimination. If an employer mishandles employee data, they may face legal consequences, including potential claims for compensation from affected individuals. Employers must clearly define and communicate their data privacy policies and ensure compliance with GDPR obligations, including accountability for their vendors' adherence to these requirements.

Data rights under GDPR

Individuals have specific rights under GDPR that allow them to control how their data is used and handled. These rights include:

• Right to access - individuals have the right to know what personal data an organisation holds about them. They can request access to this data at any time.
• Right to rectification - if personal data is inaccurate or incomplete, individuals can request that it be corrected or updated.
• Right to erasure - also known as the “right to be forgotten,” this allows individuals to request the deletion of their personal data, particularly if it’s no longer necessary for the purposes it was collected.
• Right to restrict processing - individuals can request a restriction on the processing of their data, particularly if there’s a dispute about the accuracy of the data or the legality of its processing.
• Right to data portability - this allows individuals to request a copy of their personal data in a commonly used format, so they can transfer it to another organisation.
• Right to object - individuals can object to the processing of their data for certain purposes, such as direct marketing or profiling.

These rights help individuals to manage and protect their personal data. If an employer breaches these rights, it may lead to a formal complaint to the Information Commissioner’s Office (ICO) or legal action, depending on the situation.

Data collection and consent

The GDPR introduces strict rules for data collection and consent, requiring organisations to obtain explicit consent from individuals before collecting and processing their personal data. This means that organisations must be transparent about why they are collecting data and how it will be used, fully informing individuals before they give their consent.

Consent requirements

Under the GDPR, consent must meet several key criteria to be considered valid:

• Freely given: individuals must be able to give their consent without any pressure or coercion. Consent should be a genuine choice.
• Specific: consent must be specific to the purpose of the data collection and processing. Blanket consent for unspecified purposes is not acceptable.
• Informed: individuals must be informed about the purpose of the data collection and processing, as well as their rights under the GDPR. This includes information on how their data will be used, who will have access to it, and how long it will be retained.
• Unambiguous: consent must be clear and unambiguous, with no room for misinterpretation. This often requires a clear affirmative action, such as ticking a box or signing a form.
• Revocable: individuals must be able to withdraw their consent at any time. Organisations must make it easy for individuals to revoke their consent and must act on such requests promptly.

By adhering to these consent requirements, organisations can ensure that they are collecting personal data in a manner that respects individuals’ rights and complies with the GDPR.

GDPR compliance requirements

To ensure compliance with the GDPR, organisations must implement various measures to protect personal data and ensure that data subjects’ rights are respected. This involves adopting a proactive approach to data protection and embedding privacy into all aspects of data processing activities.

One of the key requirements under the GDPR is the appointment of a Data Protection Officer (DPO). The DPO is responsible for overseeing the organisation’s data protection strategy and ensuring that personal data is processed in accordance with the GDPR. The DPO must have expertise in data protection law and practices and must be able to advise the organisation on data protection matters. Their responsibilities include:

• Monitoring compliance with the GDPR and other data protection laws.
• Providing advice on data protection impact assessments.
• Acting as a point of contact for data subjects and the supervisory authority.
• Training staff on data protection practices and raising awareness within the organisation.

By appointing a DPO, organisations can ensure that they have a dedicated professional focused on maintaining GDPR compliance and protecting personal data. This role helps to foster a culture of data protection and ensures that the organisation meets its legal obligations under the GDPR.

How data breach solicitors can assist

If an individual’s data has been compromised, especially due to their employer’s negligence, they can seek assistance from data breach solicitors to address the breach and pursue compensation. Solicitors specialising in data breaches, such as the team at Graham Coffey & Co. Solicitors have a thorough understanding of GDPR and the legal avenues available for individuals affected by a breach.

When an individual consults a solicitor, the process typically begins with a review of the circumstances surrounding the breach. The solicitor will assess whether the data involved falls under personal or special category data, which impacts the potential claim’s scope and severity. By gathering evidence such as emails, documents and records of the data handling process, solicitors can build a case to show where the employer failed to uphold GDPR obligations. This may include failing to secure sensitive information, neglecting data protection protocols, or mishandling data requests.

In cases where the breach has caused tangible harm, such as identity theft, fraudulent use of personal information or emotional distress, individuals may be entitled to compensation. Solicitors guide their clients through the claims process, handle communications with the responsible parties, and, if necessary, represent the individual in court. A successful claim can result in compensation for the financial losses and emotional distress caused by the breach.

Data minimisation

Data minimisation is a core principle of GDPR that requires organisations to limit the personal data they collect to what is necessary for a specific purpose. For employers, this means that they should only collect information directly relevant to managing employment, such as contact details, payroll information and performance records. Any data collected beyond what is strictly necessary for these purposes could result in a breach of GDPR.

In practice, data minimisation prevents organisations from over-collecting personal data, which can reduce the risk of exposure in a breach. Employers should periodically review the personal data they hold, ensuring it is current, relevant, and limited to what is necessary for employment-related functions. For instance, if health data is collected as part of occupational health assessments, it must be limited to what is needed to assess an employee’s ability to perform their role or ensure workplace safety.

Get in touch with data breach experts

When a data breach occurs, particularly due to an employer’s negligence, Graham Coffey & Co. Solicitors provide the necessary support. We help affected individuals understand their rights, gather evidence, and pursue compensation for any damages. If you believe your data has been mishandled or breached, consult with our data breach solicitor team to address the situation and hold the responsible parties accountable. Call us on 0161 532 8996 or fill out our contact form.