What is Personally Identifiable Information (PII)?
Last editedOct 20203 min read
Online security is a significant area of interest to any business. Processing customer data comes with the responsibility to keep it secure. This is particularly important when it comes to personally identifiable information, or PII.
Understanding personally identifiable information (PII)
Any information or data that could be used to identify someone qualifies as personally identifiable information. Examples include directly identifiable information such as your passport number and social security number, as well as more indirect identifiers such as a person’s last name and date of birth. When combined, these less direct identifiers can be used to pinpoint an individual’s identity. Biometrics information, geolocation, digital images, and behavioral information also can be classified as PII. Here are some examples of both sensitive and non-sensitive PII:
Sensitive personally identifiable information examples
Sensitive PII is information that is unique to an individual. Examples include:
Passport number
Social Security Number
Driver’s license number
Tax documents
Banking details
Medical records
Mailing address
Non-sensitive personally identifiable information examples
Non-sensitive information can be found in public records, including online address books, social media profiles, and corporate directories. This includes:
ZIP code
Race
Date of birth
Gender
The importance of personally identifiable information
With most businesses that use technology platforms and online storage, it’s more vital than ever to take care of PII and customer data. Mobile phone numbers, banking and credit card details, and social media profiles combine to create an individual’s PII footprint. If left unprotected, these details can be used to commit fraud or identity theft. Personally identifiable information constitutes big data. This information is stored, collected, and analyzed by businesses for many purposes, including target marketing.
Security issues associated with personally identifiable information
As one might expect, the prevalence of identifying data and financial details also makes businesses vulnerable to cyber-attacks. Data breaches are an unfortunate occurrence for businesses of all sizes.
A high-profile example of a data breach occurred in 2018, when Cambridge Analytica acquired the personal data of 50 million Facebook users without permission. In this case, the PII was accessed through an online personality quiz. While users consented to share their profile information, a loophole in the system allowed the firm to collect the data of their contacts. Cambridge Analytica then sold this information without consent. Facebook was eventually fined for the breach.
This showcases the need for companies to have a firm PII safeguarding policy, adhering to all associated regulations.
PII and data protection laws
Data protection laws apply to all companies that collect, store, or share personally identifiable information. This includes regulations that state some forms of sensitive information should not be gathered in the first place, thereby minimizing the risk of a data breach. You also need to pay attention to guidelines stating when data should be deleted after it’s been collected.
One of the key data protection laws you’ll need to bear in mind is GDPR. The General Data Protection Regulation (GDPR) came into effect in May of 2018. Although this regulation is an EU initiative, it applies to any country that processes data from European citizens. It’s important to make sure your business is compliant, as failure to meet GDPR regulations can result in fines of up to €20 million.
PII and user rights
To comply with GDPR, companies must now ensure that every customer opts in to sharing personally identifiable information. Websites or other online resources must clearly state how data is collected, what it’s used for, and when it will be deleted. Documentation must be kept of the user opting in to data storage, and participants have the right to delete personal data upon request. These new regulations are designed to give individuals greater control over their identifying information.
To be compliant, companies need to know precisely where big data is stored and track it carefully. Security teams must be trained in GDPR compliance to avoid the hefty fines mentioned above. It’s worth considering hiring a data protection officer (DPO) to keep the business up to speed. Currently, GDPR applies only to EU citizens, but any organization working with EU citizens will need to be compliant. It’s also well worth putting similar systems in place for other citizens, as it’s highly likely that there will continue to be a need for greater security and transparency.
What should you do if there’s a data breach?
We’ve now given a personally identifiable information definition and looked at some of the systems put in place to protect it. So, what happens when something goes wrong?
A high-profile data breach can be one of the worst things that can happen to a business. It erodes customer trust and can lead to financial losses, so it’s important to take swift action if any data breach occurs. Any personal data breach is required to be reported as quickly as possible to the data protection authority. Impacted customers must also be notified unless the PII was fully anonymized.
Companies that need to share customer data must use encryption or data anonymization to obscure this PII. If a medical insurance company plans to share data with an advertising firm, they would need to block out any identifying details like medical records and home addresses. It’s also essential to protect non-sensitive information.
We can help
GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.