[mbrookes]

Any personal data is subject, whether it is contained in Word documents, PowerPoints (that could be image based scans that will need to be OCRd to make them discoverable), spreadsheets, text files, database dumps, PST files, CSV files, etc, etc.

If it contains personal data on an EU natural person regardless of where the company is based is based, or on any natural person anywhere if the company is EU based, it is subject to the GDPR.

[icebraining]

My question is more, what if you don't know it has personal data? Say you're just a generic document storage & sharing service, and someone uploads a generic PDF or Word, but which happens to contain personal data. Surely you're not expect to treat any possible data you receive as personal, just in case?

[mbrookes]

If you're providing a consumer storage service, and users are uploading their own data for personal use, this is outside the remit of GDPR.

If you're providing a storage service to a business that handles personal data, your a data processor, not a data controller.

If you're the data controller, you need a classification technology that can identify personal data in those documents (amongst other capabilities).

As always, there are exceptions, but that's the general rule.

[icebraining]

Thanks!