The UK Information Commissioner’s Office (ICO) has issued expanded guidance on “Personal Data” under the EU General Data Protection Regulation (GDPR).

Here are the highlights:

Pseudonymization does not change the status of the data as personal data. To truly anonymize under the GDPR, you must strip personal data such that the individual can no longer be identified or later re-identified using reasonably available means. If you can distinguish an individual from other individuals, then that person is “identified” or is “identifiable.”  “Online identifiers” can be personal data. This includes:

  • IP addresses
  • cookie identifiers
  • RFID tags
  • MAC addresses
  • advertising IDs
  • pixel tags
  • account handles
  • device fingerprints

To determine whether an individual is identifiable you must consider what means are reasonably likely to be used to identify the individual, taking into account all objective factors, such as: costs and amount of time required for identification; available technology at the time of the processing; and likely technological developments.

Details available here from the UK ICO.