Personally Identifiable Information (PII) is any data that can be used to identify an individual. This can be done using direct identifiers (name, social security number, etc.) which are unique to an individual, or using quasi-identifiers (date of birth, race, postal code, etc.) which in isolation cannot pinpoint an individual, but in conjunction with multiple other quasi-identifiers can ultimately lead to identification.
Regulatory compliance and PII
The definition of PII changes from country to country across various regulations. There is currently no exhaustive definition as its legal ramifications continue to evolve every year. In some instances, PII is also known or referred to as “personal data” although there is a difference between the two. An example of this is in Europe, where the term “personal data” is defined much broader under the General Data Protection Regulations (GDPR). Under the GDPR, PII is considered as “any information which is related to an identified or identifiable natural person”.
For this reason, it is important for businesses to stay up-to-date on annual regulatory changes to be aware of what qualifies as PII and avoid being fined.
Who is responsible for data protection & why is it important?
As consumers continue to demand privacy, the demand for data protection increases. In today’s world, personal data can be used to steal or exploit individual identity so it is imperative that companies incorporate privacy into their workflows. Every business that collects individuals’ data is in turn responsible for protecting that data.
Whether you’re looking to build an in-house solution to handle your PII, or onboard an external vendor, it’s important to be realistic about the solution’s capabilities and gaps. One misconception is that PII can be 100% removed or scrubbed from a dataset. You can read more about this in Private AI’s whitepaper, which outlines the results of a redaction accuracy technical test.
It’s crucial for companies to understand what and how much PII is being collected from their users, that they should be evaluating their data management protocols and tools, and staying up to date on evolving data protection regulations.