Search
Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

What is Personally Identifiable Information (PII)?

Personally identifiable information (PII) is a term mostly used in the U.S., while the term personal data is defined in the EU General Data Protection Regulation (GDPR) and used in the EU.

However, there is often confusion on whether Personally identifiable information and personal data are synonyms or have slightly different meanings. The answer can be a bit more complicated than it initially seems.

What is PII?

Personally identifiable information, or PII, is any piece of information that can be used to identify an individual directly or indirectly.

However, the definition of PII can differ, depending on the source, since it is not defined by a single piece of legislation.

The definition of the National Institute of Standards and Technology (NIST) explains PII as:

Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

However, since there is no single source of the definition of PII, the best way to determine PII is through individual assessment paying attention to the law, procedure, regulation, or standard governing your specific industry or field.

Organizations should be responsible for compliance with the applicable data protection laws, and one of the first steps towards compliance is understanding which data is considered PII (or personal data) and if it requires additional safeguards.

Difference between PII and personal data

Since the U.S. legal system is composed of different regulations and federal and state laws, the definition of PII is fragmented and not as concise and structured as the personal data defined in the GDPR.

The difference between PII and personal data is hard to outline since PII is defined across multiple regulations, laws, and procedures, such as:

  • Health Insurance and Portability Act (HIPAA),
  • Children’s Online Privacy Protection Act (COPPA)
  • Federal Trade Commission (FTC),
  • U.S. Department of Labor, or
  • National Institute of Standards and Technology (NIST).

Various sources define the same subject or specific part of it (like HIPAA covers PHI or protected health information) and therefore create a lot of fine variations.

Sometimes the definition of personal data set out in the GDPR can be wider when compared to PII because it includes the data where the link between the personal data and an identifiable individual is not so tangible.

definition of personally identifiable information (PII) and personal data according to the GDPR

In that case, personally identifiable information can be considered a subset of the GDPR definition.

Examples of Personally Identifiable Information (PII)

PII can include full name, email address, social security number, phone number, driver’s license number, IP address, passport number, home address, geolocation, and sensitive data like biometric or medical records.

[RELATED TOPIC: Sensitive personal data - special category under the GDPR]

It is important to note that not all Personally Identifiable Information requires the same level of protection and is not equally sensitive.

The best way to differentiate sensitive data is by asking if disclosing the PII can cause severe damage to the individual.

Different types of PII or personally identifiable information

Examples of PII

  • Address information
  • Full Name
  • Email address
  • Personal telephone number
  • Login data
  • Credit card number
  • Social Security Number (SSN)
  • Passport number
  • Driver’s license number
  • Biometric data: fingerprints, retina scans, or voice signature
  • Medical records

Examples of linkable information

Quasi-identifiers or linkable information is not considered PII on their own. However, when linked to other personal information, they could identify a specific individual and, in this context, can also represent PII.

For example, Latanya Sweeney, the founder of the Data Privacy Lab, used a combination of quasi-identifiers like gender, birth dates, and postal codes to uniquely identify an individual and concluded that the combination of all three is sufficient to identify 87% of individuals in the United States.

Linkable information is information about the individual or related to an individual for which there is a possibility of logical association with other information about the individual (and therefore, you can identify the individual).

Example of Quasi- identifiers or linkable PII

  • Date of birth
  • Race
  • Gender
  • Business telephone number
  • Place of birth
  • Religion
  • Education information…

What is not considered PII (non-PII)?

Non-PII would be a piece of information that doesn’t allow you to identify a person.

However, it becomes very vague what is not considered PII when compared to personal data which is very clear about the distinction.

Some definitions do not include cookie IDs or IP addresses, which is directly colliding with the GDPR’s definition.

  • Aggregated Statistics
  • Internet Protocol (IP)
  • Media Access Control (MAC) addresses
  • Cookie ID
  • Device ID

What is personal data under the GDPR?

Understanding the concept of personal data defined by the GDPR is one of the basics for obtaining GDPR compliance and therefore needs to be understood properly.

[RELATED TOPIC: Personal data under the GDPR]

It is even more important since companies that process personal data of EU citizens or residents are obligated to comply with the GDPR, not just EU-based organizations.

[RELATED CONTENT: Who does the GDPR apply to?]

GDPR, Article 4 (1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This means personal data is considered to be (but is also not limited to):

  • name and last name
  • home address
  • identification number
  • Internet Protocol address (IP address)
  • cookie ID
  • sensitive data such as criminal records, medical records, religious and philosophical beliefs and more…

What is not considered personal data?

According to the GDPR, there is some information that is not considered personal data and includes (but is not limited to):

  • Information about legal entities such as companies or public authorities. An exception is if the information is related to an individual (partners, company employees, stakeholders, managers) if the individual can be identified as and the information is related to that individual
  • company registration number
  • the email address that does not contain personal data (info@company.com)
  • information related to the deceased individual
  • anonymized data

Pseudonymization and anonymization of personal data

We have talked about pseudonymization and anonymization in one of our earlier blogs:Read the blog: What you need to know about pseudonymization according to the GDPR

Think of pseudonymization as a security measure to help encrypt and secure personal data. However, GDPR still considers it personal data since the process is reversible, so you are still obligated to comply.

On the other hand, anonymization irreversibly alters data so the data subject is no longer identifiable directly or indirectly and is no longer considered personal information.

Conclusion

Knowing whether the data you process is considered PII or personal data or none will become crucial in your compliance journey and help you avoid any misconceptions and unnecessary costs.

We recommend you to conduct the assessment for each data set you process to make sure it is considered personal data so you can comply with applicable laws.

Organizations should have an insight into the data they are processing, minimize the use, collection, and retention of PII or personal data to what is strictly necessary to accomplish their business purpose and implement proper procedures and technical and organizational safeguards.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top