What’s PII (Personal Identifiable Information)? Guide for GDPR

In May 2018, the General Data Protection Regulation, or GDPR, came into force in the European Union. The law expanded the scope of European legislation, detailed the rights of personal data subjects, and tightened operators’ obligations in processing and protecting data, given today’s technology.
What kind of data does GDPR protect? Personal data — any information about a person by which they are identified: gender, age, place of residence, mental, cultural, economic, or social identity. This article will discuss how GDPR works and what personally identifiable information, or PII, is.
Table of Contents
What Is PII? Definition & Meaning
What Does GDPR Mean by Personal Data?
What Qualifies as Personal Identifiable Information?
Personally Identifiable Information Examples
Personally Identifiable Information (PII) in Privacy Law of Different Countries
What Are the New User Rights for PII?
PII Compliance
Sensitive vs. Non-Sensitive PII
Sensitive PII
Non-Sensitive PII
Who Is Responsible for Safeguarding PII?
What Qualifies as a PII violation?
How Is PII Used in Identity Theft?
How to Protect PII
Summary
Key Takeaways
GDPR FAQ
What qualifies as PII?
Is PII a legal concept?
Who is responsible for protecting PII?
What is not considered sensitive PII?
How do you protect information from PII?
Where is PII valuable?
What Is PII? Definition & Meaning
Personally identifiable information (PII) is information that can identify a person when used alone or with other relevant data. PII can contain direct identifiers (such as passport information) that can uniquely identify an individual or quasi-identifiers (such as race), which can be combined with other quasi-identifiers (such as date of birth) to recognize an individual successfully. Several key points help to understand what PII is:
- Personally identifiable information (PII) is information that can identify a person when used alone or with other relevant data;
- Personally identifiable information can include your full name, Social Security number, driver’s license, financial information, and medical records;
- Non-confidential personal information is readily available from public sources and may include your zip code, race, gender, and birth date.
Getting someone else’s PII is extremely easy, especially with the use of deception tools. Some information about your identity is the modern currency for cybercriminals, and as the world becomes more digital, it becomes more and more difficult for us to protect our data.
What Does GDPR Mean by Personal Data?
By personal data, GPDR means any information about a person by which they are identified: gender, age, place of residence, mental, cultural, economic, or social identity. The General Data Protection Regulations defines personal data as any information that relates to an identified or identifiable person. In other words, directly identifiable data is unambiguously linked to a person, such as a name or birth date. Indirectly identifiable data can be linked to a person, but only after additional steps.
Look at publicly accessible social networks. Many will say that this is not personal data because it is not private or confidential — after all, it has already been published. However, it is still connected to you as an individual because your profile is linked to your other social media accounts and emails. Eventually, they can be used to find you, too. According to GDPR, this is personal data.
Think about the IP address your computer uses to connect to the Internet. If someone sees that address, they won’t know who’s using it. But with additional information, it would be possible to tie that IP address to you. So, according to GDPR, an IP address is indirectly identifiable personal data.
What Qualifies as Personal Identifiable Information?
Identity includes a lot of data, such as the aforementioned personally identifiable information (PII). According to NIST PII Guide, PII can include direct or confidential identifiers, such as:
- Driver’s license;
- Credit card information;
- Medical records;
- Social Security number;
- Passport information;
- Full name;
- Mailing address.
The list of sensitive information that makes up your identity has expanded to include usernames and computer passwords, web pages and blogs, IP and email addresses, PINs, and so on.
Personally Identifiable Information Examples
The most high-profile example of a PII leak can be seen in the 2017 scandal centered on Facebook and Cambridge Analytica. The latter, a company that specialized in political psychometrics and worked with Donald Trump’s campaign staff in 2016, had the profile data of more than 50 million Facebook users.
An app called “thisisyourdigitallife” was created by a researcher at the University of Cambridge and was a personality type test. For participation in the survey, the app offered a small amount of money. Those who wished to answer the questions were asked permission to use their personal data “for scientific purposes only.”
Facebook gave permission to collect data through the app because the purpose of the collection was for scientific research, and the agreement between the parties did not provide for the transfer or sale of the collected data to third parties. But that’s exactly what happened.
Personally Identifiable Information (PII) in Privacy Law of Different Countries
Privacy and personal information laws exist in many countries and may vary accordingly. For example:
- In the USA, the “Guidelines for the Protection of Privacy of Personally Identifiable Information” defines “personally identifiable information” as names, biometric records, and Social Security numbers. It is believed that such data can be used to trace a person’s identity;
- In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act define “personal information” as data that can identify an individual by itself or in combination with other data;
- In the European Union, Directive 95/46/EC defines “personally identifiable information” as information that can identify a person by an identification number or factors specific to physical, physiological, mental, economic, cultural, or social identity;
- In Australia, the Privacy Act of 1988 defines “personal information” as information or opinions, true or not, about a person whose identity is obvious or can be established. This is the broadest definition of personal information of any country.
What Are the New User Rights for PII?
Under the GDPR, users have the right to consent to or reject data collection, delete and control the personal information that companies collect for business purposes. Overall, the regulation gives users more freedom and control over the information they share with companies.
Let us outline the rights that users get:
- The right to know who is processing their personal data and why;
- The right to access their personal information;
- The right to the correction of personal data;
- The right to erasure, or the “right to be forgotten”;
- The right to restrict or block data processing;
- The right to transfer personal data from one service to another;
- The right to object to data processing;
- The right to personally influence automated data collection and profiling systems.
Furthermore, the GDPR sets special requirements for the form to confirm consent to collecting personal data. For the form to be compliant, the user must actively exercise his or her will. That is, forms with pre-ticked boxes will not do. Also, the user must have easy access to instructions for withdrawing consent to data processing.
PII Compliance
To comply with the new PII rules, it is worth relying on the most popular guidelines, laws, and regulations governing this area. In addition to the GDPR itself, the most popular are GLBA, HIPAA, and PCI DSS.
- GLBA. It regulates how financial institutions protect and/or share customer information. PII requirements under GLBA require financial institutions to tell customers how their data can be used and inform them not to share their data with third parties;
- HIPAA. The term PHI — protected health information — applies here. Regulations for handling such data include limited physical access, limitations on physical data transfer, and various policies regarding the use of workstations;
- PCI DSS. It defines information security standards for companies handling credit card information. This standard ensures that companies that handle credit card data can maintain a certain level of cybersecurity.
Sensitive vs. Non-Sensitive PII
All PII can be divided into sensitive and non-sensitive. Let us take a closer look at the differences.
Sensitive PII
Sensitive PII is information that could result in harm to a person if such data is leaked. This includes all data that can 100% identify a specific person — such as biometric data, passport or social security numbers, medical information, credit card numbers and their passwords, email addresses, and employer identification numbers. School identification numbers and records are also included in the sensitive PII list.
Non-Sensitive PII
Non-sensitive PII can be transmitted in unencrypted form without the risk of harm to a person. Such information can be found in phone books, public records, Web sites, and corporate directories. Also, the list of non-sensitive PII includes information such as gender, race, date of birth, religion, and zip code — in other words, data whose knowledge will not reveal a person’s identity 100%.
Who Is Responsible for Safeguarding PII?
The General Data Protection Regulation standards apply to all companies that provide EU citizens services, even if they are not actually in the EU. These are organizations that offer goods or services:
- In EU currencies with payment options;
- In EU languages;
- On EU area domains (e.g. with .de, .fr, .cz extensions, etc.).
Organizations that monitor or analyze the online behavior of EU citizens are also liable.
What Qualifies as a PII violation?
One of the most common cases of PII violation is identity theft. Identity theft is the illegal use of another person’s personal data for profit. Recently, there has been a surge of interest in this type of crime due to the increase in the number of remote services that do not require the user’s personal presence, such as paying for purchases in online stores using bank card payment systems.
Another important factor is the spread of social networks, where confidential information is shared. Attackers use the collected data for attacks, scams, spamming, creating impersonators of famous people and other people to damage the victim’s reputation.
How Is PII Used in Identity Theft?
There are several types of identity theft. Depending on the type of identity theft, personal information can be applied in different ways:
- Financial fraud differs in the methods used and in the form in which the money is obtained. Criminals can steal databases with user data for subsequent resale, use the information to produce false documents to obtain loans, and make purchases in someone else’s name;
- Criminal identity theft is similar to the previous scenario: documents are obtained using the data provided by the scammers. Then the intruders commit various illegal actions on behalf of someone else, resulting from which law-abiding citizens may face lawsuits or fines;
- Personal information theft can be used to change identity. People hiding from creditors or other types of persecutors, illegal immigrants, use this method;
- Medical identity theft is mostly used by criminals to acquire prescription-only drugs (such as those containing narcotics).
How to Protect PII
There are several broadly applicable ways to protect personal information:
- Conduct data collection by the individual’s personal consent to the terms of use of the web resource at registration. If changes are made to the terms and conditions, inform users about them and update the information on the site with the last update date;
- Personal data is collected solely to ensure the service’s smooth operation, communicate with the customer, and provide the stated services. Do not collect data that is not used in work;
- All personal information received by users is contained in their accounts, to which they have permanent access. Personal data can be viewed, corrected, or deleted there;
- User information and personal data are stored on a “lifetime” basis for as long as they have been using the service. Data can be changed or deleted at the client’s personal request;
- Use a service with a PCI DSS security certificate to encrypt customer payment data.
Summary
The new regulations establish clear rules for the interaction between users and companies in providing personal data. This is a major step to protect personal information on the Internet and a tool to combat manipulation and misuse of personal information.
Key Takeaways
- Any information that can identify a person 100% is considered PII.
- There are two types of PII – sensitive and non-sensitive.
- If you have a company based in the EU or provide any services to EU citizens, you must comply with GDPR rules.
- To comply with the new standards, check GDPR itself, as well as GLBA, HIPAA, and PCI DSS.
- PII can be used in identity theft, and, therefore, it is crucial to protect it.
- There are several methods of PII protection, from encryption to obtaining user consent.
GDPR FAQ
In this section, we will give brief answers to the most popular questions about GDPR and PII.
What qualifies as PII?
PII is information that can identify a person when used alone or with other relevant data. PII can contain direct identifiers that can uniquely identify an individual or quasi-identifiers that can be combined with other quasi-identifiers to recognize an individual.
Is PII a legal concept?
The term “PII” is a legal term rather than a technical term. The meaning and connotations of the term may vary depending on the context in which it is used and the jurisdiction.
Who is responsible for protecting PII?
All companies that provide EU citizens services, even if they are not actually in the EU, are responsible for this. Organizations that monitor or analyze the online behavior of EU citizens are also liable.
What is not considered sensitive PII?
All information that could not result in harm to a person if such data is leaked is considered non-sensitive. This includes all data that cannot 100% identify a specific person.
How do you protect information from PII?
You should check your company’s compliance with GDPR, GLBA, HIPAA, and PCI DSS rules. Moreover, you should conduct data collection by the individual’s personal consent solely to ensure your service’s smooth operation, and use a service with a PCI DSS security certificate to encrypt data.
Where is PII valuable?
It is valuable in a myriad of industries, from banking, where you can log into your bank account with a single click, to medical care, where the doctor accesses your medical records to prescribe the correct treatment.