Personally identifiable information (PII) is any information that can identify an individual directly or indirectly. PII includes details such as name, place of residence, gender, phone number, and so on. PII can be used on its own or combined with other identifiers to recognize an individual.
Some examples of PII:
|Type of information||Example|
|Name||Full name, maiden name, alias|
|Personal identification numbers||Social Security number (SSN), passport number, driver's license number, credit/debit card number, financial account number, state identification number|
|Addresses||Street address, email address|
|Asset information||IP address, MAC address|
|Personal characteristics||Photographs (with identifying features or faces), fingerprints, handwriting, retina scan, voice signature|
|Information identifying personally owned property||Vehicle registration number|
Sensitive PII vs. non-sensitive PII
|Sensitive PII||Non-sensitive PII|
|Contains information that can directly identify an individual and can harm the individual if exposed||Contains information usually found in public records or websites and does not cause any harm to the individual if exposed|
|Should be transmitted with encryption||Can be transmitted without encryption|
|It is also known as linked information, because an individual can be directly identified without the need for excess information||It is also known as linkable information, because an individual can be identified when this data is combined with other information|
The General Data Protection Regulation (GDPR) mandates that organizations that store and process the PII of residents of the European Union and the European Economic Area must follow policies and guidelines that ensure the security of this data from internal and external threats. Organizations that are not GDPR compliant have to pay hefty fines that that can cost up to several million euros.
In addition, the GDPR also provides users more rights towards their data. Users must give explicit consent to their data being stored and processed by an organization and they can also demand that their data be deleted.