What kind of data needs to be in scope for GDPR compliance?

The General Data Protection Regulation (GDPR) protects the personal data of individuals in the European Union (EU). Personal data is defined as any information that relates to an identifiable natural person, such as their name, identification number, location data, or online identifier.

It also includes information about a person’s physical, physiological, genetic, mental, economic, cultural, or social identity. This includes biometric data, health or healthcare information, racial or ethnic information, political opinions, religious beliefs, and union membership.

Offering goods and services – GDPR applies to the organizations that are offering goods and services to people within the EU, or the EU citizens.

Monitoring the behavior as far as it takes place within the Union. If a corporation monitors or tracks IP addresses or cookies on websites accessed by EU citizens, residents, or visitors from EU countries, it falls under the scope of the GDPR.

Personal data is information that relates to an identified or identifiable individual. Identifying an individual can be as simple as a name or number, or it could include other identifiers like an IP address, a cookie identifier, or other unique factors.

The GDPR’s scope includes:

• Employee personal data
• Information about customers, patients, or residents
• Non-public personal data of business partners and providers
• Personal data that is transferred to and processed by third parties
• Images and sound recordings
• Encrypted data
• Photos of individuals
• Video recordings