Personal data is the foundational concept underpinning every modern privacy regulation. The GDPR defines it expansively: any information relating to an identified or identifiable natural person, where identifiability can be direct (name, email) or indirect (an IP address combined with other context). US laws like the CCPA reach similarly broadly under the term "personal information"; HIPAA defines "individually identifiable health information" within the narrower healthcare context.
The practical consequence is that almost any data point an organization handles about its customers, employees, or visitors is in scope for some privacy regime. Online identifiers — cookies, advertising IDs, device fingerprints, IP addresses — count even when no name is attached. So do inferences derived from personal data: a model output that predicts a person's gender or political preference is personal data about that person.
This expansive scope is what makes data governance and privacy programs hard. You cannot comply with rights requests, retention policies, or transfer restrictions without first knowing which fields in which systems contain personal data — which is why data discovery, classification, and mapping are foundational disciplines rather than optional ones.