It's important to understand some definition of personal from GDPR perspective Personal data means "any information relating "to an identified or identifiable natural person "who can be identified directly or indirectly, "in particular by reference to an identifier "such as a name, an identification number, "location data, an online identifier "or to one or more factors specific "to the physical, physiological, genetic, "mental, economic, cultural or social identity "of that natural person." So it covers broader perspective. until GDPR, many of us observed the no PII or personally identifiable information rule. PII was easy to define. Anything that could be mapped back to an individual person, a phone number, a credit card, an email, or a physical address, all of those would be considered PII. But personal data as it's defined in the GDPR is much broader.
This could be an anonymous tracking ID or a cookie, which virtually every single digital advertising technology uses. It could be interpreted that knowing too many anonymous factors about an individual means you actually know who that individual is. If you're collecting different kinds of behavioral data or anonymous attributes like say you know someone is in a certain city, is a male between the ages of 35 and 39, and interested in pet supplies and professional football that can be considered personal data as it might be just enough to narrow it down to an individual.
Authored By - Satish Kulkarni
TCS Cyber Security Practice