GDPR Compliance: What is PII?
You may hear the term PII (Personally Identifiable Information) come up in the context of GDPR (General Data Protection Regulation). Interestingly, PII is more of a North American term and isn't directly associated with GDPR. Personal data is the term most commonly used to label the personal information GDPR protects.
Of course, this leads to discussion of the differences between PII and personal data. In a nutshell, it comes down to a "rectangles and squares" situation. All PII is personal data, but not all personal data is PII. Here, we'll take a deeper dive into PII and personal data to help you gain a better understanding of the topics.
Personally Identifiable Information is any piece of information through which an individual can be identified, contacted, or located. Information can be categorized as PII if it fits that definition alone ("linked information"), or in conjunction with other easily accessible sources ("linkable information").
Linked information is a piece of information through which an individual is identified directly. Such information includes:
- Home address
- Full name
- Date of birth
- Passport number
- Email address
- Credit card number
- Financial account
- Phone number
- Social security number
- Login details
- Taxpayer identification number
- Driver's license number
Linkable information is a detail or a piece of information that cannot identify an individual directly. It needs to be used in conjunction with some other piece(s) of data for identification to occur. Examples of linkable information include:
- Race or ethnicity
- Hair color
- First name
- State, region, county
- Unspecified age
- Job position
Advantages of PII
On its own, PII has no upside or downside per se. It's just a classification of data. However, when we talk about PII we're usually talking about protecting it. So, the advantage of PII is that it lays the groundwork for implementing processes and standards that increase data privacy. Obviously, the main benefit here is to consumers and individuals.
Businesses must absorb the costs of protecting PII as a result. Of course, this can be argued as a benefit as well. Organizations are now incentivized to protect personal information. Companies in possession of people's PII are liable for any situation that may arise as a result of breached PII.
That's why companies ensure maximum security for people's data. How safe customers' data are with a company will determine the level of trust from customers, which affects the reputation of the company.
Countries across the world are becoming more concerned and involved in how their citizens' PII is collected, processed, and secured. Their concerns have led to the creation of many data regulation agencies.
There have been incidents where companies slipped up regarding customers' PII and it ended up ruining those customers' lives. To avoid such incidents, nations have become stricter with fines and penalties to companies that fail to protect their citizens' data (case in point: recent GDPR fines).
The Responsibility for Safeguarding PII
Many people think that safeguarding PII is exclusively the duty of the company collecting the data. However, this isn't totally correct. Imperva touched on this topic a bit on their blog. From a legal standpoint, the individual and the company are often both responsible for safeguarding PII.
Differences Between PII and Personal Data
As we mentioned above, all PII can be personal data, but all personal data can't be referred to as PII.
According to the GDPR, personal data means
"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
This definition of personal data makes it a bit more complex than its PII counterpart. PII is very specific about information identifying an individual. GDPR made personal data complex with the "any information" term.
"Any information" means data like pictures, social media posts, and security surveillance footage can be referred to as personal data.
Sensitive PII vs. Sensitive Personal Data
Underneath the PII and Personal Data categories are the more sensitive categorizations. Here, we'll look at Sensitive PII and Sensitive Personal Data.
Every piece of PII data should be protected, but there are different levels of PII. Sensitive PII are pieces of information that, when lost or compromised, can pose great threat to individuals. The threat emanating from breached PII could be unfair treatment, harassment, disturbance, or inconvenience.
Examples of sensitive PII include:
- Bank account numbers
- Healthcare information
- State ID information
- Student information
Sensitive Personal Data
Just as there is sensitive PII, there is also sensitive personal data. As you might expect, the sensitive personal data covers a broader range than sensitive PII.
Examples of sensitive personal data include:
- Religious beliefs
- Political views
- Ethnicity or race
- Trade union membership
Non-PII is a piece of information that cannot be used to identify an individual. Examples of non-PII are cookies, device IDs, and IP addresses. As CenterPoint IT calls out, this is another area where PII and personal data differ. In EU countries, cookies, device IDs, and IP addresses would all be classified as personal data.
Note: The non-PII explanation above is high-level. The topic of PII in the U.S. is an involved one. As we'll see in the section below, states are beginning to tackle the data privacy issue. As a result, we can expect to see definitions evolve over time and find exceptions to the general rule.
Regulations Around PII and Non-PII in the U.S.
In the EU, we know GDPR is the broad legislation protecting personal data. However, there isn't a comparable law in the United States just yet. However, there are various narrower pieces of legislation that deal with data privacy.
For example, HIPAA (Health Insurance Portability and Accountability Act of 1996) deals with the protection of patient's medical data. (Fun fact: The strict requirements around HIPAA were even one of the 5 Reasons to Keep Your Mail Server On-Prem). Similarly, PCI-DSS (Payment Card Industry Data Security Standard) sets standards for protecting payment information.
Looking forward, California took a step in June 2018 to enact the California Consumer Privacy Act (CCPA) 2018, and it will take effect in January 2020. The act is said to be the strictest set of data privacy regulations in the U.S.
Want to ensure your organization takes data privacy and compliance seriously? Check out our How to Create a Compliant Security Awareness Program post by Raju Woodward.
Regardless of where you are in the world, or if you're subject to GDPR, HIPPA or other regulations, respecting data privacy is important. If not from a regulatory standpoint in your region, at least from an ethical standpoint. If users trust you with their personal data, you should make an effort to keep it secure. Further, if you are in a region where regulation applies, then you have financial incentive to protect that data.
In addition to building awareness, creating a data privacy framework can go a long way in helping you protect PII. To help you get started we'll give you a crash course on some of the relevant terms and techniques.
- Discovery. PII (or personal data) discovery is the process of finding PII data (or personal data) within your organization. This may be a little more involved than what you may think at first glance. With how many touchpoints businesses have with users today, finding all personal information can be a large task. Discovery is usually one of the first steps in the creation of a larger protection framework.
- Data Masking. This is the process of obfuscating sensitive data. You may hear this term come up frequently in relation to HIPAA. The general idea makes sense. If you obfuscate sensitive information, you're less likely to have it compromised.
- Anonymization. This is the act of taking personal information and making it anonymous. If you think of a data set with PII, data anonymization can be easy to conceptualize. If you remove things like name, address, birthday, and phone number, it can be much more difficult to identify someone in the data set. Pseudonymization is another similar term with a similar purpose.
- Compliance Environment. This is a term used to describe what regulations you must comply with. If you are subject to HIPAA, then it is relevant to your compliance environment.
- Data Integrity. Masking, anonymization, and pseudonymization can make data less useful. Data integrity describes just how tolerant information your data set is to modification.
PII and personal data are broad and complex topics that cover a lot of legal and technical grounds. They can also be difficult to master. However, protecting personal information and respecting data privacy is an important part of working in tech. Especially now with the GDPR in effect. Every IT pro needs to be aware of the ramifications.
As an IT professional, users will trust your systems with their PII. Regardless of your particular compliance environment, there is an ethical argument to protecting PII. None of us want our personal information leaked, and working in tech, you can help prevent that. Additionally, the focus on data security has led to an environment where protecting user data can be lucrative. As a result, IT pros who master PII and data security can boost their earning potential while doing a lot of goodwill.