When we speak about PII and GDPR's personal data and privacy, we will find different terms according to the jurisdiction we deal with. Although the meaning is generally understood to be similar, there is often confusion between them and they actually deal with different types of personal data. PII (Personally identifiable information) is the term used in the USA, while the term personal data is the term generally described in the EU’s General Data Protection Regulation.
Although it is true that both terms are often interchanged as if they were synonyms, we should have it very clear that they have a different meaning. Delving into the what is understood by PII and by GDPR’s Personal Data, we will find that we are dealing with slightly different requirements.
The difference between PII and personal data
Since the legal system in the USA is composed of different regulations and different federal and state laws, the definition of PII is not as consistent or a structured as the personal data defined in the GDPR for the countries in the European Union.
To start with, it is complicated to outline the difference between PII and personal data because PII is defined across multiple laws, regulations and procedures, such as:
- Health Insurance and Portability Act (HIPPA)
- US Department of Labor
- Federal Trade Commission (FTC)
- Children’s Online Privacy Protection Act (COPPA)
- National Institute of Standards and Technology (NIST)
This variety of sources define PII or specific parts of it differently (like HIPAA covers Protected Health Information or PHI). This creates a lot of granular variations when it comes to actually defining a set of minimum items that should be anonymized and what private, personal data is.
GDPR’s definition of personal can sometimes can look wider when compared to the definition of Personally identifiable information in the US because the European regulation includes the link between the personal data and an identifiable individual, which many times is not so tangible.
Therefore, in general, Personally Identifiable Information can be considered as a subset of the EU’s GDPR definition. Nonetheless, there are also other definitions that closely match with the GDPR definition of personal data.
What is PII?
Personally Identifiable Information is any piece of information that can be used to identify an individual directly or indirectly. But let’s remember that the definition of PII can differ according to any of the five sources above, since there is no nationwide definition and it is also not regulated by a specific national legislation.
For example, the definition ny NIST (National Institute of Standards and Technology) says that PII is:
“Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
In practice, as there is no golden rule or ”source of truth” for the definition of Personal Identifiable Information, the most useful way to determine what information is and what information isn’t PII is through individual assessment and paying attention to the procedure, law, regulation, or standard governing your specific State, industry or field of application.
US corporations are responsible for compliance with the applicable data protection laws in each jurisdiction they operate. Clearly, one of the first steps towards compliance is understanding which data is considered PII (or, if dealing with European users, “Personal Data”) and if they are required to take additional safeguards.
Examples of Personally Identifiable Information (PII)
PII can typically include obvious contact data and identifiable data such as the person’s full name, phone number, passport number, home address, social security number, driver’s license number, email address and other digital data like IP address, geolocation. There are other items which are considered sensitive data, particularly biometric data or medical records.
Just as it happens with GDPR, it is important to note that not all PII requires the same level of protection and not all of it is equally sensitive.
A logical step to ascertain if some data is sensitive data is by asking oneself if disclosing that PII can result in severe damages to the individual’s privacy or otherwise.
Examples of PII
|A person’s full Name
||A person’s address information
||Personal telephone number
|Social security number
||Credit card number
||Biometric data: fingerprints, retina scans, or voice signature
||Driver’s license number
||IP address /geolocation
Examples of quasi-identifier
Quasi- identifiers (also known as linkable information) are not considered PII on their own. It is important to remember, though that when linked to any other piece of personal information, a quasi- identifier could identify a specific individual and, in context, represent PII as well.
Quasi- identifiers are information about an individual or related to that person for which there may be a possible, logical association – and this partial information, together with other information about the individual can lead you to trace and identify the person, for example,
- Race and Gender
- Age or date of birth
- Business telephone number
- Place of birth
- Education information…
What is not considered non-PII and PII?
Non-PII would be a piece of information that doesn’t allow you to identify an individual. This, however, can be very vague when compared to GDPR’s definition of Personal Data.
Some definitions of PII in the US don’t include cookie IDs or IP addresses, which directly collides with the GDPR’s definition.
- Aggregated statistics
- Internet Protocol (IP)
- Media Access Control (MAC) addresses
- Cookie ID
- Device ID
Only NIST clearly states that linked information can be considered and asset information (including Internet Protocol (IP), Media Access Control (MAC) address or other host-specific identifiers that link to a particular person or even small / specific group of people). This, in fact, means cookies and device ID can be considered a PII. Again, depending on who you ask.
Now… What is personal data under the GDPR?
If your customer base in partly in Europe and you deal with European clients, we recommend you understand and familiarize yourself with the concept of Personal Data defined by GDPR as it is one of the basics for obtaining GDPR compliance. The fact that you are operating from the US or elsewhere does not matter, since all corporations that process personal data of any EU citizen or resident are obligated to comply with GDPR, even if the processing takes place outside the EU. GDPR covers European citizens’ data even if they are not resident in the EU. This is very important because GDPR has a global reach and it is not just for EU companies -which obviously have had to comply with it strictly since 2018.
GDPR defines Personal Data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
For GDPR, Personal Data means (but is also not limited to):
- name and last name
- home address
- identification number
- Internet Protocol address (IP address)
- cookie ID
- sensitive data such as criminal records, medical records, religious and philosophical beliefs and more…
What is not considered personal data?
According to GDPR, there is some type of information that is not considered Personal Data and includes (but is not limited to):
Information about legal entities such as companies or public authorities. An exception is if the information is related to an individual (partners, company employees, stakeholders, managers) if the individual can be identified as and the information is related to that individual
The following is not considered personal data:
- company registration number
- general email addresses not containing personal data (firstname.lastname@example.org)
- information related to a deceased individual
- anonymized data
Anonymization and pseudonymization of personal data
The difference between anonymization, pseudoanonymization and data-masking really calls for an in-depth explanation. In short, anonymization is the transformation of data so that the data is no longer identifiable as being associated with a particular person. The action is irreversible and the altered data cannot be used to directly or indirectly identify an individual. Anonymization is effective if the identification of the individual associated with the data is not possible even with the addition of other knowledge about the anonymized data.
Pseudoanonymization is a data management procedure by which personally identifiable information fields within a consumer data record are replaced by one or more artificial identifiers, or pseudonyms, which may be recalled at a later date to re-identify the record. Data pseudonymization can be used when you will need to re-identify users in the future, but greater care must be taken since any detail left to chance may be used to reasonably link a piece of information to a person. For example, replacing names and e-mail addresses in a list, but leaving salary information will soon help to re-identifie the record after pseudonymization.
An anonymized text cannot be considered to be personal information. However, GDPR still considers a pseudoanonymized document personal data because the process is reversible, so you are still obligated to comply.
Knowing whether the data you process is considered PII or personal data or none is essential in your compliance journey and help you avoid any misconceptions and unnecessary costs.
Pangeanic’s recommendation is to closely work together to conduct the assessment for each data set you process to make sure if it is considered personal data so you can comply with applicable laws.