Does the UK GDPR apply to mixed datasets?

read titleRead full title
Published on LexisPSL on 21/05/2021

The following Risk & Compliance Q&A provides comprehensive and up to date legal information covering:

  • Does the UK GDPR apply to mixed datasets?
  • Categories of data
  • Anonymised data
  • Pseudonymised data
  • Mixed datasets
  • Application of the UK GDPR

Does the UK GDPR apply to mixed datasets?

This Q&A considers whether the requirements of the UK General Data Protection Regulation (UK GDPR), Retained Regulation (EU) 2016/679 apply to mixed datasets, ie those which contain both personal and non-personal data.

A separate piece of EU legislation aims to support the data economy by allowing companies to move and store non-personal information anywhere in the EU. This is the Retained Regulation (EU) 2018/1807, the Free Flow of Non-Personal Data Regulation, which has been in force in the EU since 28 May 2019.

The EU Commission has published guidance on the interaction between the Free Flow of Non-Personal Data Regulation and the UK GDPR, in particular in relation to mixed datasets.

This Q&A does not consider the free flow of data specifically, but the Commission’s guidance indicates how organisations should treat mixed datasets more generally.

EU-derived laws that were applicable in the UK at the end of the Brexit transition period have been preserved in the UK’s domestic legal framework as retained EU law and accordingly Regulation (EU) 2018/1807 and guidance associated with it remains relevant.

Categories of data

The table below describes the two types of data found in mixed datasets.

Personal dataNon-personal data
Any information relating to an identified or identifiable natural person.
This means any information which makes it possible to identify a living individual can

Popular documents