What is PII (Personally Identifiable Information)?
Personally identifiable information (PII) is information that can be used to verify a person’s identity. Also referred to as personal data or personal information, PII includes data such as name, address, email, phone, social security number, credit card number, banking information, date of birth, mother’s maiden name, etc.
You can separate PII into two categories:
- Sensitive PII: Personal information that can result in serious damage to an individual if lost or stolen. This type of PII must be secured and encrypted when transmitted.
- Non-sensitive PII: Personal information that can be obtained by publicly available sources such as race, zip code, gender, or date of birth. Non-sensitive PII cannot discern an individual’s identity (unless combined with sensitive PII) and does not need to be encrypted when transferred.
Privacy Regulations Protect PII
Many privacy regulations address how companies must collect and manage PII. The most well-known is the European Union’s (EU) GDPR (General Data Protection Regulation).
Other privacy regulations include CCPA (California Consumer Privacy Act), (PIPEDA) Canada’s Personal Information Protection and Electronic Documents Act, and (POPI) South Africa’s Protection of personal information. Every year, more regulations are coming into place, including additional US state privacy regulations. GDPR has been a guiding standard for many of the privacy laws coming into existence today as it’s one of the most stringent in terms of how companies capture, store, and use personal information and the penalties for non-compliance.
Each privacy legislation defines PII slightly differently and has different requirements for how PII is managed. For example, the GDPR also considers cookies and IP addresses PII, but other regulations do not. Also, CCPA does not apply to all companies; instead, focusing on companies that do business in California that hit a certain revenue level (along with other qualifiers). ‘
More: International Data Privacy Laws and Regulations
Growing Concerns Over the Protection of PII
Although the proper security and protection of PII have been necessary for a long time, it’s only been in the last few years with the growth of digital experiences that data privacy has become a serious issue. As a result, consumers have become more concerned with why and how companies collect their personal information, what they are doing with it, and how they are keeping it safe.
The increase in cyber-attacks and data breaches grows every year, and millions of consumers have had their data stolen and misused. For example, global ransomware damage is predicted to exceed $265 billion by 2031. In addition, some companies sell their customer data, and it’s not always clear how that data is used and abused by the companies that buy it.
Managing Privacy and PII
Regardless of which privacy regulations a company has to adhere to, it’s critical to manage personally identifiable information (PII) securely. To do this, companies have employed a Chief Privacy Officer and privacy teams to manage privacy processes. These processes include what information is collected and used, how PII is stored and protected, adherence to applicable privacy regulations like consent management, dealing with non-compliance issues, data breaches, etc.