When we speak about the difference between PII and GDPR's personal data and privacy, we will find different terms according to the jurisdiction we deal with. Although the meaning is generally understood to be similar, there is often confusion between them and they actually deal with different types of personal data. PII (Personally identifiable information) is the term used in the USA, while the term personal data is the term generally described in the EU’s General Data Protection Regulation.
Although it is true that both terms are often interchanged as if they were synonyms, we should have it very clear that they have a different meaning. Delving into the what is understood by PII and by GDPR’s Personal Data, we will find that we are dealing with slightly different requirements.
Since the legal system in the USA is composed of different regulations and different federal and state laws, the definition of PII is not as consistent or a structured as the personal data defined in the GDPR for the countries in the European Union.
To start with, it is complicated to outline the difference between PII and personal data because PII is defined across multiple laws, regulations and procedures, such as:
Health Insurance and Portability Act (HIPAA)
US Department of Labor
Federal Trade Commission (FTC)
Children’s Online Privacy Protection Act (COPPA)
National Institute of Standards and Technology (NIST)
This variety of sources define PII or specific parts of it differently (like HIPAA covers Protected Health Information or PHI). This creates a lot of granular variations when it comes to actually defining a set of minimum items that should be anonymized and what private, personal data is.
GDPR’s definition of personal can sometimes can look wider when compared to the definition of Personally identifiable information in the US because the European regulation includes the link between the personal data and an identifiable individual, which many times is not so tangible.
Therefore, in general, Personally Identifiable Information can be considered as a subset of the EU’s GDPR definition. Nonetheless, there are also other definitions that closely match with the GDPR definition of personal data.
Personally Identifiable Information is any piece of information that can be used to identify an individual directly or indirectly. But let’s remember that the definition of PII can differ according to any of the five sources above since there is no nationwide definition and it is also not regulated by specific national legislation.
For example, the definition by NIST (National Institute of Standards and Technology) says that PII is:
"Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."
In practice, as there is no golden rule or "source of truth" for the definition of Personal Identifiable Information, the most useful way to determine what information is and what information isn’t PII is through individual assessment and paying attention to the procedure, law, regulation, or standard governing your specific State, industry or field of application.
US corporations are responsible for compliance with the applicable data protection laws in each jurisdiction they operate. Clearly, one of the first steps towards compliance is understanding which data is considered PII (or, if dealing with European users, "Personal Data") and if they are required to take additional safeguards.
PII can typically include obvious contact data and identifiable data such as the person’s full name, phone number, passport number, home address, social security number, driver’s license number, email address, and other digital data like IP address, and geolocation. There are other items that are considered sensitive data, particularly biometric data or medical records.
Just as it happens with GDPR, it is important to note that not all PII requires the same level of protection and not all of it is equally sensitive.
A logical step to ascertain if some data is sensitive data is by asking oneself if disclosing that PII can result in severe damage to the individual’s privacy or otherwise.
A person’s full Name | A person’s address information | Personal telephone number | Login data |
Social security number | Credit card number | Email address | Biometric data: fingerprints, retina scans, or voice signature |
Passport number | Driver’s license number | IP address /geolocation | Medical records |
Quasi-identifiers (also known as linkable information) are not considered PII on their own. It is important to remember, though that when linked to any other piece of personal information, a quasi-identifier could identify a specific individual and, in context, represent PII as well.
Quasi-identifiers are information about an individual or related to that person for which there may be a possible, logical association – and this partial information, together with other information about the individual can lead you to trace and identify the person, for example,
Race and Gender
Age or date of birth
Religion
Business telephone number
Place of birth
Education information…
Related content:
Working with aggregate data: what needs to be taken into account?
Non-PII would be a piece of information that doesn’t allow you to identify an individual. This, however, can be very vague when compared to GDPR’s definition of Personal Data.
Some definitions of PII in the US don’t include cookie IDs or IP addresses, which directly collides with the GDPR’s definition.
Aggregated statistics
Internet Protocol (IP)
Media Access Control (MAC) addresses
Cookie ID
Device ID
Only NIST clearly states that linked information can be considered asset information (including Internet Protocol (IP), Media Access Control (MAC) address, or other host-specific identifiers that link to a particular person or even a small/specific group of people). This, in fact, means cookies and device ID can be considered a PII. Again, depending on who you ask.
If your customer base is partly in Europe and you deal with European clients, we recommend you understand and familiarize yourself with the concept of Personal Data defined by GDPR as it is one of the basics for obtaining GDPR compliance. The fact that you are operating from the US or elsewhere does not matter, since all corporations that process the personal data of any EU citizen or resident are obligated to comply with GDPR, even if the processing takes place outside the EU. GDPR covers European citizens’ data even if they are not resident in the EU. This is very important because GDPR has a global reach and it is not just for EU companies -which obviously have had to comply with it strictly since 2018.
GDPR defines Personal Data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
For GDPR, Personal Data means (but is also not limited to):
name and last name
home address
identification number
Internet Protocol address (IP address)
cookie ID
sensitive data such as criminal records, medical records, religious and philosophical beliefs, and more…
According to GDPR, there is some type of information that is not considered Personal Data and includes (but is not limited to):
Information about legal entities such as companies or public authorities. An exception is if the information is related to an individual (partners, company employees, stakeholders, managers) if the individual can be identified as and the information is related to that individual
The following is not considered personal data:
company registration number
general email addresses not containing personal data (info@mycompany.com)
information related to a deceased individual
anonymized data
Keep reading:
6 personal data anonymization techniques you should know about
The difference between anonymization, pseudonymization, and data-masking really calls for an in-depth explanation. In short, anonymization is the transformation of data so that the data is no longer identifiable as being associated with a particular person. The action is irreversible and the altered data cannot be used to directly or indirectly identify an individual. Anonymization is effective if the identification of the individual associated with the data is not possible even with the addition of other knowledge about the anonymized data.
Pseudonymization is a data management procedure by which personally identifiable information fields within a consumer data record are replaced by one or more artificial identifiers, or pseudonyms, which may be recalled at a later date to re-identify the record. Data pseudonymization can be used when you will need to re-identify users in the future, but greater care must be taken since any detail left to chance may be used to reasonably link a piece of information to a person. For example, replacing names and e-mail addresses in a list, but leaving salary information will soon help to re-identify the record after pseudonymization.
An anonymized text cannot be considered to be personal information. However, GDPR still considers a pseudo-anonymized document of personal data because the process is reversible, so you are still obligated to comply.
Knowing whether the data you process is considered PII or personal data or none is essential in your compliance journey and help you avoid any misconceptions and unnecessary costs.
Pangeanic’s recommendation is to closely work together to conduct the assessment for each data set you process to make sure if it is considered personal data so you can comply with applicable laws.