GDPR is concerned with the protection of personal data. Understanding what is personal data is important and, fortunately, straightforward under GDPR.
GDPR covers the definition of "personal data" in Article 4 of the regulation:
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The list of potential identifiers under GDPR is short:
GDPR encourages the removal, or separation, of identifiers for personal data. These identifiers, through automated means, can be added back to data to make it identifiable.
GDPR does list special data categories of data that have specific rules for processing. These rules are detailed and beyond the chose of this training but the special categories are racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
Another key principle of GDPR is data minimization. Article 5 states the the amount of personal data collected should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation'). The intent is only to collect the data that is absolutely necessary for the purpose of processing.
The best rule of thumb is to assume that your data contains personal data until proven otherwise.