Request demo
en
Site language:
Biometric software product with robust user authentication for unlocking a device or gaining access to operating systems or apps
A biometric software product for increasing the level of security at the facility during video surveillance
A biometric software product for biometric identity verification in access control and management systems
A biometric software product for displaying personalized media content
A biometric software product with facial recognition for reliable identity check
A biometric software product with facial recognition that expands the electronic queue systems with personalized services for visitors
A software product that provides simple and reliable working time and attendance by identifying faces using tablets, IP cameras, or terminals
A biometric software product with facial recognition that provides enhanced communication with clients
A biometric software product that provides a reliable and quick check of the gym clients access right without employee’s participation
A new level of work with visitors and employees of Business centers opened with the help of biometric products
Biometrics for convenient service to citizens, including remote monitoring of the quality of personnel work
Biometric monitoring of working hours and additional security tools for industrial facilities
Modern methods of biometric analytics for safe operation of sports facilities
Convenient and secure transport solutions based on the digital identity of the passenger
Biometric solutions for a new level of security and interaction with visitors
Biometric video Analytics for targeted marketing and personnel control in distributed networks
Biometric products for proctoring and video surveillance systems in educational institutions
Keyless biometric access to rooms, targeted approach to each client and information about the time of work for employees
Necessary tool for the security and competitiveness of a modern Bank
Improving the level of security, speed of investigations and timely prevention of illegal acts in the urban public space
Customer-oriented solutions, acceleration of the work process of the registry area, control of the staff of the entire institution
RecFaces makes facial biometrics simple and applicable. We provide a wide range of ready-made biometric solutions for businesses to upgrade their security and technological efficiency.
We are ready for cooperation and sales through the partner network. To get advice on your project, please contact us by e-mail sales@recfaces.com
It is our principal and invaluable resource. Talented and energetic people of our team unite the like-minded ones which helps to expand expertise and company’s growth.
Join us!
We are always happy to answer all your questions. Contact us in any way convenient for you.
We share our long-term expertise
in the development of biometric software
Comprehensive information for your projects.
Just theory, practice and statistics
Discover our latest news and updates
on facial recognition technology
Find out more about
RecFaces company here

What’s PII (Personal Identifiable Information)? Guide for GDPR

What Is PII? Understating Personally Identifiable Information | RecFaces

In May 2018, the General Data Protection Regulation, or GDPR, came into force in the European Union. The law expanded the scope of European legislation, detailed the rights of personal data subjects, and tightened operators’ obligations in processing and protecting data, given today’s technology.

What kind of data does GDPR protect? Personal data — any information about a person by which they are identified: gender, age, place of residence, mental, cultural, economic, or social identity. This article will discuss how GDPR works and what personally identifiable information, or PII, is.

Table of Contents

What Is PII? Definition & Meaning
What Does GDPR Mean by Personal Data?
What Qualifies as Personal Identifiable Information?
Personally Identifiable Information Examples
Personally Identifiable Information (PII) in Privacy Law of Different Countries
What Are the New User Rights for PII?
PII Compliance
Sensitive vs. Non-Sensitive PII
Sensitive PII
Non-Sensitive PII
Who Is Responsible for Safeguarding PII?
What Qualifies as a PII violation?
How Is PII Used in Identity Theft?
How to Protect PII
Summary
Key Takeaways
GDPR FAQ
What qualifies as PII?
Is PII a legal concept?
Who is responsible for protecting PII?
What is not considered sensitive PII?
How do you protect information from PII?
Where is PII valuable?

What Is PII? Definition & Meaning

Personally identifiable information (PII) is information that can identify a person when used alone or with other relevant data. PII can contain direct identifiers (such as passport information) that can uniquely identify an individual or quasi-identifiers (such as race), which can be combined with other quasi-identifiers (such as date of birth) to recognize an individual successfully. Several key points help to understand what PII is:

  1. Personally identifiable information (PII) is information that can identify a person when used alone or with other relevant data;
  2. Personally identifiable information can include your full name, Social Security number, driver’s license, financial information, and medical records;
  3. Non-confidential personal information is readily available from public sources and may include your zip code, race, gender, and birth date.

Getting someone else’s PII is extremely easy, especially with the use of deception tools. Some information about your identity is the modern currency for cybercriminals, and as the world becomes more digital, it becomes more and more difficult for us to protect our data.

What Does GDPR Mean by Personal Data?

By personal data, GPDR means any information about a person by which they are identified: gender, age, place of residence, mental, cultural, economic, or social identity. The General Data Protection Regulations defines personal data as any information that relates to an identified or identifiable person. In other words, directly identifiable data is unambiguously linked to a person, such as a name or birth date. Indirectly identifiable data can be linked to a person, but only after additional steps.

Look at publicly accessible social networks. Many will say that this is not personal data because it is not private or confidential — after all, it has already been published. However, it is still connected to you as an individual because your profile is linked to your other social media accounts and emails. Eventually, they can be used to find you, too. According to GDPR, this is personal data.

Think about the IP address your computer uses to connect to the Internet. If someone sees that address, they won’t know who’s using it. But with additional information, it would be possible to tie that IP address to you. So, according to GDPR, an IP address is indirectly identifiable personal data.

What Qualifies as Personal Identifiable Information?

Identity includes a lot of data, such as the aforementioned personally identifiable information (PII). According to NIST PII Guide, PII can include direct or confidential identifiers, such as:

  1. Driver’s license;
  2. Credit card information;
  3. Medical records;
  4. Social Security number;
  5. Passport information;
  6. Full name;
  7. Mailing address.

The list of sensitive information that makes up your identity has expanded to include usernames and computer passwords, web pages and blogs, IP and email addresses, PINs, and so on.

Personally Identifiable Information Examples

The most high-profile example of a PII leak can be seen in the 2017 scandal centered on Facebook and Cambridge Analytica. The latter, a company that specialized in political psychometrics and worked with Donald Trump’s campaign staff in 2016, had the profile data of more than 50 million Facebook users.

An app called “thisisyourdigitallife” was created by a researcher at the University of Cambridge and was a personality type test. For participation in the survey, the app offered a small amount of money. Those who wished to answer the questions were asked permission to use their personal data “for scientific purposes only.”

Facebook gave permission to collect data through the app because the purpose of the collection was for scientific research, and the agreement between the parties did not provide for the transfer or sale of the collected data to third parties. But that’s exactly what happened.

Personally Identifiable Information (PII) in Privacy Law of Different Countries

Privacy and personal information laws exist in many countries and may vary accordingly. For example:

  • In the USA, the “Guidelines for the Protection of Privacy of Personally Identifiable Information” defines “personally identifiable information” as names, biometric records, and Social Security numbers. It is believed that such data can be used to trace a person’s identity;
  • In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act define “personal information” as data that can identify an individual by itself or in combination with other data;
  • In the European Union, Directive 95/46/EC defines “personally identifiable information” as information that can identify a person by an identification number or factors specific to physical, physiological, mental, economic, cultural, or social identity;
  • In Australia, the Privacy Act of 1988 defines “personal information” as information or opinions, true or not, about a person whose identity is obvious or can be established. This is the broadest definition of personal information of any country.

What Are the New User Rights for PII?

Under the GDPR, users have the right to consent to or reject data collection, delete and control the personal information that companies collect for business purposes. Overall, the regulation gives users more freedom and control over the information they share with companies.

Let us outline the rights that users get:

  1. The right to know who is processing their personal data and why;
  2. The right to access their personal information;
  3. The right to the correction of personal data;
  4. The right to erasure, or the “right to be forgotten”;
  5. The right to restrict or block data processing;
  6. The right to transfer personal data from one service to another;
  7. The right to object to data processing;
  8. The right to personally influence automated data collection and profiling systems.

Furthermore, the GDPR sets special requirements for the form to confirm consent to collecting personal data. For the form to be compliant, the user must actively exercise his or her will. That is, forms with pre-ticked boxes will not do. Also, the user must have easy access to instructions for withdrawing consent to data processing.

PII Compliance

To comply with the new PII rules, it is worth relying on the most popular guidelines, laws, and regulations governing this area. In addition to the GDPR itself, the most popular are GLBA, HIPAA, and PCI DSS.

  1. GLBA. It regulates how financial institutions protect and/or share customer information. PII requirements under GLBA require financial institutions to tell customers how their data can be used and inform them not to share their data with third parties;
  2. HIPAA. The term PHI — protected health information — applies here. Regulations for handling such data include limited physical access, limitations on physical data transfer, and various policies regarding the use of workstations;
  3. PCI DSS. It defines information security standards for companies handling credit card information. This standard ensures that companies that handle credit card data can maintain a certain level of cybersecurity.

Sensitive vs. Non-Sensitive PII

All PII can be divided into sensitive and non-sensitive. Let us take a closer look at the differences.

Sensitive PII

Sensitive PII is information that could result in harm to a person if such data is leaked. This includes all data that can 100% identify a specific person — such as biometric data, passport or social security numbers, medical information, credit card numbers and their passwords, email addresses, and employer identification numbers. School identification numbers and records are also included in the sensitive PII list.

Non-Sensitive PII

Non-sensitive PII can be transmitted in unencrypted form without the risk of harm to a person. Such information can be found in phone books, public records, Web sites, and corporate directories. Also, the list of non-sensitive PII includes information such as gender, race, date of birth, religion, and zip code — in other words, data whose knowledge will not reveal a person’s identity 100%.

Who Is Responsible for Safeguarding PII?

The General Data Protection Regulation standards apply to all companies that provide EU citizens services, even if they are not actually in the EU. These are organizations that offer goods or services:

  • In EU currencies with payment options;
  • In EU languages;
  • On EU area domains (e.g. with .de, .fr, .cz extensions, etc.).

Organizations that monitor or analyze the online behavior of EU citizens are also liable.

What Qualifies as a PII violation?

One of the most common cases of PII violation is identity theft. Identity theft is the illegal use of another person’s personal data for profit. Recently, there has been a surge of interest in this type of crime due to the increase in the number of remote services that do not require the user’s personal presence, such as paying for purchases in online stores using bank card payment systems.

Another important factor is the spread of social networks, where confidential information is shared. Attackers use the collected data for attacks, scams, spamming, creating impersonators of famous people and other people to damage the victim’s reputation.

How Is PII Used in Identity Theft?

There are several types of identity theft. Depending on the type of identity theft, personal information can be applied in different ways:

  1. Financial fraud differs in the methods used and in the form in which the money is obtained. Criminals can steal databases with user data for subsequent resale, use the information to produce false documents to obtain loans, and make purchases in someone else’s name;
  2. Criminal identity theft is similar to the previous scenario: documents are obtained using the data provided by the scammers. Then the intruders commit various illegal actions on behalf of someone else, resulting from which law-abiding citizens may face lawsuits or fines;
  3. Personal information theft can be used to change identity. People hiding from creditors or other types of persecutors, illegal immigrants, use this method;
  4. Medical identity theft is mostly used by criminals to acquire prescription-only drugs (such as those containing narcotics).

How to Protect PII

There are several broadly applicable ways to protect personal information:

  1. Conduct data collection by the individual’s personal consent to the terms of use of the web resource at registration. If changes are made to the terms and conditions, inform users about them and update the information on the site with the last update date;
  2. Personal data is collected solely to ensure the service’s smooth operation, communicate with the customer, and provide the stated services. Do not collect data that is not used in work;
  3. All personal information received by users is contained in their accounts, to which they have permanent access. Personal data can be viewed, corrected, or deleted there;
  4. User information and personal data are stored on a “lifetime” basis for as long as they have been using the service. Data can be changed or deleted at the client’s personal request;
  5. Use a service with a PCI DSS security certificate to encrypt customer payment data.

Summary

The new regulations establish clear rules for the interaction between users and companies in providing personal data. This is a major step to protect personal information on the Internet and a tool to combat manipulation and misuse of personal information.

Key Takeaways

  1. Any information that can identify a person 100% is considered PII.
  2. There are two types of PII – sensitive and non-sensitive.
  3. If you have a company based in the EU or provide any services to EU citizens, you must comply with GDPR rules.
  4. To comply with the new standards, check GDPR itself, as well as GLBA, HIPAA, and PCI DSS.
  5. PII can be used in identity theft, and, therefore, it is crucial to protect it.
  6. There are several methods of PII protection, from encryption to obtaining user consent.

GDPR FAQ

In this section, we will give brief answers to the most popular questions about GDPR and PII.

What qualifies as PII?

PII is information that can identify a person when used alone or with other relevant data. PII can contain direct identifiers that can uniquely identify an individual or quasi-identifiers that can be combined with other quasi-identifiers to recognize an individual.

Is PII a legal concept?

The term “PII” is a legal term rather than a technical term. The meaning and connotations of the term may vary depending on the context in which it is used and the jurisdiction.

Who is responsible for protecting PII?

All companies that provide EU citizens services, even if they are not actually in the EU, are responsible for this. Organizations that monitor or analyze the online behavior of EU citizens are also liable.

What is not considered sensitive PII?

All information that could not result in harm to a person if such data is leaked is considered non-sensitive. This includes all data that cannot 100% identify a specific person.

How do you protect information from PII?

You should check your company’s compliance with GDPR, GLBA, HIPAA, and PCI DSS rules. Moreover, you should conduct data collection by the individual’s personal consent solely to ensure your service’s smooth operation, and use a service with a PCI DSS security certificate to encrypt data.

Where is PII valuable?

It is valuable in a myriad of industries, from banking, where you can log into your bank account with a single click, to medical care, where the doctor accesses your medical records to prescribe the correct treatment.

Here you can rate our article
Here you can rate our article
Thanks!

Subscribe to our newsletter