[StupidOne]

Firstly - I yet have to get solid definition of "personal data". Is it my name or is it "1.8m tall guy in green T-shirt who is head of team X"? Definition is so blurred (or so board) you can virtually classify any data as personal.

[oldcynic]

Is it enough to identify a person?

Name alone is probably not as many people share names, unless you have an unusual name. Add address and phone number and it will be. IP address on its own is not.

Is "1.8m tall guy in green T-shirt who is head of team X" enough to identify them? If so it's personal data.

Most of this applied to the Data Protection Act too. GDPR adds some items like biometrics

[lwansbrough]

Everything you mentioned is considered PII according to GDPR.

[oldcynic]

From GDPR itself:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

My emphasis.

[biomene]

> personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

From the Wikipedia article about GDPR [1]

[1]: https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

[DanBC]

Not "relating to", but "can be used to identify a natural person".

An IP addres, for example, isn't automatically personal data. It might be if you can link it with other information that can be used to identify someone.

[hvidgaard]

We go by the definition of "if it can be used to build a profile, it's PII". So your example is PII. If you want to store that information, anonymize it and you might actually don't have to do much to comply with GDPR.

[nickpp]

Does that include IP addresses? How do you anonymise it such as you can be sure it cannot "be used to build a profile"?

[svennek]

Why would you keep the ip-adress in the first place?

If it is for fraud-prevention, then that is sufficient reason to keep it unanonymised...

[nickpp]

3 reasons to keep the IP: statistics, analytics, and fraud prevention.

Anonymizing it does not seem to solve anything, since the anonymized version "can be used to build a profile" so "it's PII"...

[oAlbe]

> 3 reasons to keep the IP: statistics, analytics

That's exactly why GDPR is a good thing. It prevents anybody from doing statistics and keeping analytics about the users. Want to collect this information in order to profile your users and offer them a better product (ndr. better ads)? Well tough luck. You either anonymize and stop profiling and tracking your users or you close shop in Europe. I don't see how this is a bad thing in any possible way. You say it costs money? I guess then some of the money they made by targeting users and selling their personal data so far can be put to good use.

[nickpp]

Please note I was NOT talking about selling personal data, ads or ad-targeting in any way.

Just regular analytics and statistics of usage and environment to simply improve the product.

[Mirioron]

Have a login system? You're likely storing email addresses, which are considered personal data.

[hvidgaard]

If the information can be used to build a profile linked to me, it's PII. If you do not and cannot link it to me, then it's no longer PII. That is kinda in the name, Personally Identifiable Information. In short, if the collection of information can point to me, it's PII. If it cannot point to me it's not PII.

[StupidOne]

Problem is, if we take it to extreme, we are basically playing Cluedo game. Is "18 year old" PII? - no Is "orders pizza every Friday" PII? - no Is "always misspells word cheese" PII? - no Is "leaves 10% tip" PII? - no Combine it and you have PII.