Defining PII (Personally Identifiable Information)

Learn how User Migration with Okta reduced unexpected password resets and reduces helpdesk calls and support issues.

Personally identifiable information (PII) is data someone could use to identify you. If someone had access to your PII, with a bit of time and talent, that person could figure out who you are. And sometimes, that sleuthing comes at great risk to your privacy, peace of mind, or both.

For example, PII could help a hacker discover that the head of a major nonprofit organisation also spends time online gambling. Or PII could help a reporter determine that a lawmaker has a terminal illness.

Years ago, any digital company could collect scads of data about you. Blocking collection, manipulation, sharing, or deletion of that information was difficult. Now, many countries have PII laws on the books that give you rights. The biggest among them: The EU’s General Data Protection Regulation (GDPR).

What is PII?

Information unique to you, or data that could be used to build a profile of you, is PII. If the definition seems nebulous, that's intentional. 

These data points are commonly considered PII:

  • Account numbers
  • Email addresses
  • Formal names (first and last)
  • IP addresses
  • Phone numbers
  • Physical addresses
  • Social Security numbers
  • Usernames

But often, legislation allows companies to determine what is and is not PII. And the rules can shift periodically.

As the U.S. General Services Administration puts it, managing PII means conducting case-by-case assessments. Sometimes, a data point that doesn't seem like PII could become so at a later point. Truly taking stock of the data collected and its relevance is a full-time endeavour.

PII and GDPR

As we mentioned, most countries have some kind of PII legislation. Consumers want control over their data, and they rely on government agencies to craft appropriate laws. One of the biggest comes from Europe.

The GDPR is legislation designed to protect European consumers as they make online transactions and otherwise conduct business. The law was years in the making, but in 2018 or so, companies had to enforce the law or face the consequences.

Under GDPR, consumers have the right to:

  • Protection. Companies must ensure that PII they collect is secure.
  • Access. Consumers can request their PII and change inaccuracies.
  • Notification. Consumers must opt-in to data collection. Notifications tell them what PII is collected, what it's used for, and how long it's retained.
  • Deletion. Consumers can ask companies to wipe their digital slate clean.

Companies located within the EU must follow GDPR. But any company that works with European consumers must also comply.

To give an example, an American company selling airline tickets to an Irish customer must comply with GDPR. That airline must collect a variety of PII, including the passenger's name, address, and banking data. GDPR protects that Irish family, and the American company is on the hook to comply.

The European Data Protection Board (EDPB) manages this legislation, and this group can levy fines against companies that break the rules. Fines are steep, and they’re applied at the breach level.

Other PII uses

We've talked quite a bit about GDPR, and while that legislation is important, it's not the only reason to protect PII.

American companies, for example, must also wrestle with HIPAA regulations. This healthcare law protects private information about patients, and insurance companies, hospitals, and others in the healthcare space are required to comply.

If you collect data from any consumer at any point, you must be thinking about PII. If you run a website, you're in this group.

When people visit an online entity like a website, you might track their:

  • IP address
  • Usernames
  • Addresses (if you have contact forms)
  • Bank accounts (if you accept payments)

You may also have online trackers installed. So-called "cookies" can help you ensure your marketing plans are working, so you can attract even more customers down the line. If your cookies aren't PII compliant, and many of them are not, you could be facing privacy violations.

And the way you manage your services, such as tapping into the cloud, could come with its own PII risks.

Let us help. Read our blog about protecting PII while migrating to the cloud. And find out how Very Good Security lets us work on sensitive data without putting PII at risk.

References

Rules and Policies Protecting PII. U.S. General Services Administration.

General Data Protection Regulation (GDPR): What You Need to Know to Stay Compliant. (June 2020). CSO.

Protection of Personal Data. European Commission.

The Birth of GDPR: What Is It and What You Need to Know. (May 2018). Forbes.

Who We Are. European Data Protection Board.