Blog Post
PII: What it is & how to protect it
Understanding what personally identifiable information (PII) is and how to protect it is more important now than ever. With a global spotlight on the responsible handling of data and consequences for non-compliance at an all-time high, businesses are facing unprecedented pressure to get this information under control.
While definitions may vary slightly depending on the compliance laws and jurisdictions, PII is generally defined as any data that can be used to identify an individual. While this may seem straightforward enough, digitization efforts over the past decade have transformed the way businesses use consumer data. Not only is this information increasingly collected and stored, but it is used in a variety of new ways. For example, businesses today often leverage this data to enhance advertising efforts.
As PII compliance laws evolve and businesses continue to use personal information, understanding the risk that surrounds your data is critical and regulators should prioritize and look for new ways to safeguard the sensitive information companies collect about their consumers.
Compliance laws were created around the world to address this collection of PII. However, not all PII is as sensitive as others, and to better understand how to protect it, it’s important to know exactly what types of information hold the most risk.
Different types of PII information
Sensitive PII - Sensitive PII pertains to legal information and holds the highest compliance risk. This can include consumer full names, social security numbers, mailing addresses, driver’s licenses, credit card information and medical records, to name a few.
Non-sensitive PII - Non-sensitive PII is defined as any personal information that identifies, describes or is capable of being linked back to a particular consumer or household. This information is less direct than PII, therefore it holds less risk. Examples of this could include race, zip code, gender, religion and place of birth.
Every business holds both sensitive and non-sensitive PII, and under most compliance laws, this all needs to be accounted for. To best understand how to approach PII compliance and discovery, we also need to understand which compliance laws apply to your organization and how each of these define PII.
PII as defined by Compliance Laws
- GDPR: Under GDPR, PII is any data that can be used to clearly identify an individual. This scope has grown to not only include the sensitive PII listed above but also IP addresses, login ID details, social media posts, digital images, geolocation and more.
- CCPA: In the CCPA, personal information is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples of these are similar to the examples mentioned above.
- HIPAA: HIPAA also defines PII as any type of information that relates directly or indirectly to an individual. As a subset of this, HIPAA also deals with PHI, or protected health information. This is defined as health information that can relate to the past, present, or future health status of an individual.
While GDPR and CCPA (with the addition of the CPRA in 2023) are similar, the two are not the same. The CCPA acts as the genesis for state-mandated U.S. compliance laws, and although it does borrow principles from the GDPR, the law distinguishes itself as a heavily consumer-oriented law, giving rights and privileges to individuals. On the other hand, organizations dealing with health-related information, will have little use in measuring PII against the above regulations and instead will need a thorough understanding of HIPAA.
However, it’s important to note these regulations only scratch the surface, and there exist many other compliance laws that organizations should familiarize themselves with — including CPRA, LGPD, PIPEDA, Australian Data Privacy, and the list goes on. No matter what compliance laws your company is subject to, you will need to start by identifying where the PII in your company resides. To learn more about what steps to take to effectively secure PII, check out our blog.
Identifying & protecting PII information with Ground Labs
Luckily, data discovery tools exist to help you keep track of the various compliance laws that exist today and to help you account for both the sensitive and non-sensitive PII that your organization collects on consumers. Use Enterprise Recon to learn exactly what PII data your company has stored, how it is being used, and most importantly, how it is being protected.
If you are ready to start your data discovery journey, book a demo with a data expert today.