What Counts as Personal Data?
- Use this page to tighten what counts as personal data? with owners and dates.
- Connect narrative to systems: where data lives, who can export it, what breaks on delete.
- Add evidence habits (logs, tickets) so audits do not rely on memory.
- Bookmark official resources for statutory text; stay skeptical of unattributed claims.
- Use the compliance portal to chain the next guide when this section is done.
See also: Compliance portal · Official resources · Guides index
Teams often underestimate how much data in their actual systems can relate to identifiable people. The mistake is usually not legal theory — it is workflow blindness.
Do not think only in terms of visible profile fields. Think about anything in your stack that relates to a real person and shapes records, decisions, communications, or service around them.
Where personal data shows up
- Account creation and onboarding fields
- Checkout, billing, or customer-service records
- Support conversations and ticket histories
- CRM and lifecycle marketing systems
- Analytics and product events tied to accounts or identifiable users
- Exports, spreadsheets, dashboards, and vendor tools built on that information
Why this matters operationally
Once businesses understand how broad their practical data footprint is, a lot of other pages on this site start to make sense: notices need to be more accurate, retention logic becomes more important, deletion becomes harder, and vendor review stops being optional theater.
Common mistakes
- Ignoring support and CRM data because it is “not the product database”
- Assuming analytics or event data is too abstract to matter
- Forgetting spreadsheet exports and manual workflows
- Failing to connect vendor tools back to the same underlying user/customer data
What to do next
The best next step is not to debate edge cases endlessly. It is to map the major systems and flows in the business so your team can see where personal data actually lives and moves.