Personal data is everywhere. If you’re scrambling to get ready for the GDPR, you’ve probably realised that. Because an organisation usually holds personal data of different kinds in many different places, it’s very easy to forget about a particular type of data. That can mean that you fail to protect it properly, and expose your organisation to risk. Here are three categories of personal data that you may not have considered.

3 Types of Personal Data You  May Have Missed

personal data

Employee Curriculum Vitaes

Just because an employee works for you, does not mean they should expect the details of their CV to be shared. They might be happy to share basic work information, such as work history. however addresses, phone numbers etc are personal information and should be covered under your organisation’s data protection policy.

Don’t hang on to CVs from unsuccessful candidates longer than you need to. Unless a hiring campaign could become the subject of litigation, shred CVs and any records containing personal data of applicants. Delete them from your electronic devices as well.

Enquiry Forms

Most business websites have a contact form, allowing potential customers to register their details for a call-back. You probably know that you can only use that information to contact them for the purpose the individual agreed to. Other options – such as being added to a mailing list – should have an opt out.

Once a lead is cold, moreover, you should delete the information, since it contains personal data. A person may become a customer or sign up for more information – which offers you fresh consent – or they don’t. In that case, you need to have a procedure for removing their personal data from your systems.

Tech Support Emails

If you provide technical support on your product or services, you probably receive a lot of emails. Those emails probably contain personal data, from user account information to contact details and other private matters. Your tech support team will want to hang on to many emails. After all, it helps them to see how past issues were resolved, and resolve future issues quickly. That could fall into the category of ‘legitimate interests’ if the Data Protection Commissioner got involved. But why wait for that to happen? It’s perfectly possible for your team to write up notes on issues and their resolution anonymously – without retaining personal data in the form of inbound emails. Yes, it’s a little more work, and you’ll get some grumbling. But it will reduce unnecessary data that you hold, and thus business risk.


It is easy to think that only organisations handling sensitive customer information, such as bank details and medical records, need to worry about GDPR. Hopefully, the examples above will show that the definition of personal data is vast and is something that every business should have a policy for.