Yup - @1101010, as DB says, it’s not just any data that can identify a person, it’s any data that can be combined to identify them has to be treated as personal data, and anonymisation doesn’t allow you off the hook either because (to use DiS as an example):
- if all data is anonymised and collected together in the same way the “old anonymous comments” on DiS were, the people who submitted their posts still have the right to have their ones removed
- if it is pseudo anonymised (i.e. a banned user is renamed as “Anonymous user 28163” and their profile has location, avatar etc wiped) then there’s still a whole load of personal data all linked together by a single key (the username), and they still have the right to contact DiS and have all those posts removed.
The only option as I understand it under GDPR is to provide the option for a single user’s data to be wiped, albeit there’s a caveat to that;
- A data controller can insist that they need to maintain the data necessary to continue to do business with an individual if that individual wants to continue to have a service provided to them or if they legally have to for regulatory reasons. For example a telco or energy company would require billing details, phone number etc. or a bank needs to maintain call recordings for up to 7 years to remain in line with other laws.
As you say, it means a lot of IT systems, particularly old ones, are difficult to make compliant, but that’s going to be the designers and developers problem unfortunately.