Is gender considered PII (Personally Identifiable Information) under the GDPR?

Question

Since GDPR is shaking everything up at the minute I'm working on a few changes to our website/process.

I work in eCommerce in UX (UK based) and support marketing teams with certain activities.

My question is, does gender of an individual count as PII?

We store gender in a data layer as a JavaScript variable which is held within our own business, we then can choose to pass these variables across to a testing platform to target individuals based on the presence of these variables. As I'm not a legal/data type person I'm not 100% sure if by us storing and having the means to pass a person's gender (pulled from info we get when they create an account with us) to a third party, we are breaching any kind of information security agreements?

If this is down to company policy etc. then just let me know and I'll close the question as it's not really for here.

Answer 1

The definition of personal data as mentioned in the GDPR:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

As you state that you use the presence of the variable to target individuals, the gender definitely has an indirect reference to someone's identity and as such, is personal data. However, that doesn't mean that you have to stop processing the gender in the context you described.

From a risk perspective (which is what the GDPR is all about), I don't see an issue if you only share the gender - which is actually pseudonymised since you don't supply any other direct identification data along with it.

However, you do have other obligations w.r.t. the transparency principle, incorporating the processing activity into your processing register, determining legal ground for processing (and acting accordingly), determining processor-controller relationship with your third party and including the necessary clauses in the the contract, etc. To determine all this, much more information is required than you have supplied in your question and I highly encourage to seek (legal) professional advice to support you in this matter.

Answer 2

TLDR: Possible

From https://www.seobyrvc.com/what-is-personally-identifiable-information-pii/:

The following are examples of “potentially personally-identifiable information”. That is, the data elements by themselves cannot be linked to a specific person but when combined with other information (such as items 1 through 11, above), they can be.

12. A persistent identifier such as a generic customer/user value held in a “cookie”
13. IP (Internet Protocol) address or host name
14. Date of birth, age
15. Racial or ethnic background
16. Religious affiliation
17. Gender
18. Height, weight
19. Marital status
20. Employment information
21. Medical information
22. Financial information
23. Credit information
24. Student information

Depending on a site visitor’s browser settings, cookies (item 12), which are small text files, are stored on the visitor’s local drive and transmitted between their browser and the servers hosting the sites visited.

The point here is, as standalone information, these data elements are not PII. They have the potential to be PII. They become PII when they are combined with other more specific data which, in total, identifies a specific person.

For example, a full blown credit report without a link to a specific individual is not PII. It’s simply anonymous credit information. However, even though a credit report might not have a person’s first and last name, if it includes enough information to identify to a particular person (i.e. date of birth + gender + ethnicity + zip code + IP address), it fits the definition of PII.