The GDPR takes a broad view of what constitutes Personally Data under the GDPR.
Personal data is “…any information relating to an identified or identifiable natural person”. Even if the organization holding the data cannot identify a specific natural person, the data might still be considered personal if a person is “identifiable” using “…all means reasonably likely to be used.” See Article 4 and Recital 26. A name is not necessary. Any identifier will do. Online identifiers like cookies, IP addresses, and RFID tags are expressly called out in the GDPR, Recital 30.
As a result, companies should up their game by protecting things like cookie data and an individual’s IP address at the same level they protect an individual’s name, address and Social Security number.