Just a quick note to drop it, here, already before my holiday. May elaborate on the subject later, in a much extended form. The idea being:
Privacy is about Information, not about Data. Privacy sits on the divide, or jump, from data to information, as in this previous post.
Data doesn’t mean a thing. And yes there’s use in protecting data, but that’s only part of the picture. To discuss ‘directly or indirectly identifying data’ one needs to understand the value, and information, in data combinations. So you’ll have to keep the information value in mind always.
Which also means that if you discuss topics with various categorically-not-understanding-anything-other-than-bonuses stakeholders under the common header of personal data protection, you have lost connection to them. By giving up before you started; they will not ‘get it’. They know ‘data’ only in the abstract, as something to stay away from. If you don’t keep the (distinction AND connection) in mind and exepelainify it extensively ‘externally’, you lose.
Same, if you don’t bridge the gap ‘internally’ in your in-group. Only when an exhaustive search for all meaning of any combination of data has been completed, would one know what data elements could possibly be necessary for identification and hence are privacy-sensitive.
This would probably set the threshold very low indeed. But hey, that’s your problem right there. Offer perfect protection of get sued into oblivion.