Personally identifiable information or PII is any piece of information that can be used to identify an individual. PII can include full name, email address, social security number, phone number, driver’s license number, IP address, passport number, home address, geolocation, and any type of sensitive data like biometric data or medical records.

Personally identifiable information is a term mostly used in the U.S., while the term personal data was cemented in the EU General Data Protection Regulation. However, those two terms, even though often used as synonyms denote slightly different definitions.

Since every organization processes personal data, they should be responsible for compliance with the applicable data protection laws. The first step towards compliance is understanding the difference between PII and personal data, and understanding which data requires additional safeguards. In order to achieve compliance, you will have to look at the personal data as a wider term.

Sensitive personal data - special category under the GDPR

Examples of Personally Identifiable Information

It is important to note that not all Personally Identifiable Information requires the same level of protection and is not equally sensitive. The best way to differentiate sensitive data is by asking if disclosing the PII can cause serious damages to the individual.

Examples of sensitive PII

➡️ Credit card number
➡️ Social security number
➡️ Passport number
➡️ Driver’s license number
➡️ Biometric data: fingerprints, retina scans, or voice signature
➡️ Medical records

Examples of PII

➡️ Address information
➡️ Full Name
➡️ Email address
➡️ Personal telephone number
➡️ Internet Protocol (IP) or Media Access Control (MAC) addresses
➡️ Login data

Examples of quasi-identifiers

Quasi- identifiers are not considered PII. However, when linked to any other personal information, they could identify a specific individual.

➡️ Date of birth
➡️ Race
➡️ Gender
➡️ Business telephone number
➡️ Place of birth

Difference between PII and personal data

If the definition of personally identifiable information is compared to the definition of personal data set out in the GDPR, the GDPR definition was deliberately left wider so it includes the data where the link between the personal data and an identifiable individual is not so tangible, or where the individual can be identified indirectly.

PERSONALLY IDENTIFIABLE INFORMATION

Therefore, personally identifiable information can be considered as a subset of the GDPR definition of personal data, since personal data is a much broader term.

What is personal data under the GDPR

Understanding the concept of personal data defined by the GDPR is one of the basics for obtaining GDPR compliance, and therefore needs to be understood properly. It is even more important since all companies that process personal data of EU citizens or residents are obligated to comply with the GDPR, not just EU based organizations.

Who does the GDPR apply to?

GDPR, Article 4 (1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The WP29 opinion n 4/2007 on the concept of personal data from 2007 (and still relevant) recognizes 4 main building blocks of the definition:

1. “Any information”

This means the concept includes any type of information about the person and includes objective and subjective information, opinions, or assessments, which are usually present in the banking sector, insurance, or HR. Also, GDPR does not care if the information is true or false, proven, or disputable, it treats all that information the same.

The content of personal data includes sensitive information, but also all kinds of general information, it includes private and family life personal data, and any type of activity that is undertaken by the individual.

The GDPR concept of personal data also includes any formate or medium on which the information is contained, including photographic, numerical, alphabetical or acoustic, stored in computer memory, paper form, videotape, or in any other way.

WP29 example of personal data
WP29 Opinion 4/2007 on the concept of personal data

2. “Relating to”

Information is considered relating to an individual if it is about the individual. This is a crucial element of the definition since it is important to understand the links between the data and an individual since sometimes it will not be so easy to establish and define. If information relates to an object, events or processes sometimes it can be considered personal information.

WP29 example
WP29 Opinion 4/2007 on the concept of personal data

In order to consider that the data related to an individual, a “content” element OR a “purpose” element OR a “result” element should be present. This means the data is about the individual, the data is about assessment or evaluation of the individual or when the processing has an impact on an individual’s rights and interests.

3. “Identified or identifiable”

According to the WP29, “a natural person can be considered as “identified” when, within a group of persons, he or she is “distinguished” from all other members of the group. Accordingly, the natural person is “identifiable” when, although the person has not been identified yet, it is possible to do it…”

example about identified and identifiable personal data
WP29 Opinion 4/2007 on the concept of personal data

A person can be directly identified by a full name but can be identifiable by an IP address if the IP address is, for example, combined with other information the service provider holds on an individual.

4. “Natural person”

The protection of personal data applies to natural persons. However, in general, GDPR does not apply to the personal data of deceased persons or information relating to legal persons. Of course, there are exemptions and Member State can also extend the scope of the GDPR regarding this subject.

Pseudonymization and anonymization of personal data

We have talked about pseudonymization and anonymization in one of our earlier blogs:Read the blog: What you need to know about pseudonymization according to the GDPR

Think of the pseudonymization as a form of a security measure, it can help you encrypt and secure personal data. However, GDPR still considers it a personal data since the process is reversible, so you are still obligated to comply.

Pseudonymization is a great way of securing personal data, therefore, preventing the cost of a potential data breach and fulfilling your obligation to implement appropriate technical measures according to the GDPR. On the other hand, anonymization irreversibly alters data so the data subject is no longer identifiable directly or indirectly, and therefore it is no longer considered to be personal information.

This year 80% of breached organizations stated that customer PII was compromised during the breach, far more than any other type of record. While the average cost per lost or stolen record was $146 across all data breaches, those containing customer PII cost businesses $150 per compromised record.