Personally Identifiable Information (PII)
What is Personally Identifiable Information (PII)?
Personally Identifiable Information (PII)Any data that can identify a specific individual on its own or when combined with other information, such as names, identifiers, or biometric records.
Personally Identifiable Information (PII) refers to data that distinguishes or traces an individual's identity, either directly (name, government ID, email) or indirectly when linked with other attributes (date of birth, ZIP code, device identifiers). Regulators distinguish direct identifiers, quasi-identifiers, and sensitive categories such as health or biometric data, which carry stricter handling rules under GDPR Article 9 and U.S. sectoral laws like HIPAA. Organizations inventory PII, apply data classification, encrypt it at rest and in transit, restrict access on a need-to-know basis, and log processing activities. Effective programs also document lawful bases, minimization, and retention to limit exposure during a breach.
● Examples
- 01
A customer record containing full name, email address, and phone number stored in a CRM.
- 02
An HR database linking employee ID, national insurance number, and salary.
● Frequently asked questions
What is Personally Identifiable Information (PII)?
Any data that can identify a specific individual on its own or when combined with other information, such as names, identifiers, or biometric records. It belongs to the Privacy & Data Protection category of cybersecurity.
What does Personally Identifiable Information (PII) mean?
Any data that can identify a specific individual on its own or when combined with other information, such as names, identifiers, or biometric records.
How does Personally Identifiable Information (PII) work?
Personally Identifiable Information (PII) refers to data that distinguishes or traces an individual's identity, either directly (name, government ID, email) or indirectly when linked with other attributes (date of birth, ZIP code, device identifiers). Regulators distinguish direct identifiers, quasi-identifiers, and sensitive categories such as health or biometric data, which carry stricter handling rules under GDPR Article 9 and U.S. sectoral laws like HIPAA. Organizations inventory PII, apply data classification, encrypt it at rest and in transit, restrict access on a need-to-know basis, and log processing activities. Effective programs also document lawful bases, minimization, and retention to limit exposure during a breach.
How do you defend against Personally Identifiable Information (PII)?
Defences for Personally Identifiable Information (PII) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Personally Identifiable Information (PII)?
Common alternative names include: Personal Data, Personal Information.
● Related terms
- privacy№ 276
Data Classification
The process of labeling data by sensitivity and value so that the right protection, handling, and retention controls can be applied consistently.
- privacy№ 280
Data Minimization
A privacy principle requiring organizations to collect, process, and retain only the personal data that is strictly necessary for a defined, lawful purpose.
- privacy№ 278
Data Loss Prevention (DLP)
A set of technologies and policies that detect and block unauthorized exfiltration of sensitive data across endpoints, networks, email, and cloud services.
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- privacy№ 875
Pseudonymization
A technique that replaces direct identifiers in personal data with reversible aliases, so that the data can no longer be attributed to an individual without additional, separately kept information.
- privacy№ 279
Data Masking
Replacing sensitive data with realistic but fictitious values so that downstream users, applications, or environments can use the data without exposing the originals.
● See also
- № 576k-Anonymity
- № 286Data Subject Access Request (DSAR)
- № 1164Tokenization (Privacy)
- № 275Data Breach
- № 277Data Leak
- № 511Identity Theft
- № 355Doxxing
- № 1118Swatting