The GDPR applies to any personal data of individuals located in the EU. “Personal data” consists of any information that can be used to identify a person. In some cases, it’s easy to identify personal data as it directly identifies a specific individual – for example, an email address, taxpayer or employee ID number, or a person’s name. However, personal data may also include less obvious types of information such as a person’s credit card number, location information and/or IP address. It can also include indirectly identifying information (such as age or postal code) that is used in combination with directly identifiable information. It is very broadly defined.