The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person.
Personal data can include, but is not limited to, online identifiers (e.g., IP addresses), employee information, sales databases, customer services data, customer feedback forms, location data, biometric data, CCTV footage, loyalty scheme records, health and financial information and much more. It can even include information that does not appear to be personal – such as a photo of a landscape without people – where that information is linked by an account number or unique code to an identifiable individual. And even personal data that has been pseudonymized can be personal data if the pseudonym can be linked to a particular individual.
You should also be aware that the processing of certain “special” categories of personal data – such as personal data that reveals a person’s racial or ethnic origin, or concerns their health or sexual orientation – is subject to more stringent rules than the processing of “ordinary” personal data.
This evaluation of personal data is highly fact-specific, so we recommend engaging an expert to evaluate your specific circumstances.