I have a very practical question: Since the regulation defines personal data as “Any information relating to an identified or identifiable natural person…”, does it mean first + last name is considered personal data? Historically we identified PII as a combination of several elements like name + address or name + social. If first + last is indeed considered personal information under GDPR the impact is much more significant so we want to make sure we're addressing it appropriately.
I haven't been able to get a straight answer yet so I figured someone here might be able to help.
I would say where you process the data really matters, but not for applicability of the legislation.
Processing GDPR Personal Data with no third country adequacy, no BCRs, model contracts etc - and the controller and processor are going down.
A quibble, but one I think that reinforces your point.
As the Economist states :The world's most valuable resource is no longer oil, it is data".
This is my understanding : the First name and Last name combine to create a single entity = Name - because name is not in itself a unique identifier it requires another primary element to constitute PII. there are instances where the actual name is unusual in its construct ( spelling, pronunciation etc.) but a secondary element is still required to make it identifiable - Happy for anyone to comment and disagree
Don't forget your own employees. They certainly have a right to privacy under GDPR.