Are “personal data” and “personal identifiable information” (PII) the same thing? And how the GDPR regulates them?
Table of Contents
What does “personal identifiable information” (PII) and “personal data”?
Let’s start by saying that there is no official rule to distinguish personal data and PII: the two categories mix with each other. However, not all personal data is PII, while each PII is personal data.
In a certain sense, the real difference between the two is more lexical than anything else, as “personal data” is used more generally, while “personal identifiable information” is mainly linked to privacy, data breaches and identity theft.
The GDPR says that “Any data that relate to an identifiable individual is personal data“. Examples are name, surname, address, driving license number, date of birth, telephone number, but also the user name and password for an online service, or the IP address. But according to the GDPR also the record about electricity and water usage are personal data as it is used to make decisions on an individual (how much to charge them).
On the other hand, a good definition of PII is given by the US Office of Privacy and Open Government. It says that they are “Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. “
Personal Identifiable Information is personal data which is of particular interest to cyber criminals and which usually has no value on its own. For example, having only a user’s first and last name may not be enough for a cybercriminal to identify a person. Instead, finding also the license number would work. In other words, to be useful, PII must provide hackers with enough information about the person’s identity.
How does GDPR regulate personal data?
The GDPR requires that all personal data (and PII) must be processed in a fair, transparent, and lawful manner. Furthermore, it imposes strict requirements on how personal data must be collected, used, and protected. For example, it requires that personal data must be collected for a specific, legitimate purpose and that it must be kept secure from unauthorized access, destruction, or alteration.
These rules are designed to protect the privacy of individuals, who have always the right to:
- access their personal data,
- know how it is being used,
- request their personal data be erased (right to be forgotten) or corrected.
Moreover, companies must take extra steps to ensure the security of PII. This includes, for example, ensuring that PII is encrypted when it is stored or transmitted and that access to PII is restricted to authorized personnel only.
Companies must be aware of the different obligations imposed by GDPR, since it imposes strict penalties for those that violate its provisions, including fines.
Personal identifiable information and Data Breach
Personal identifiable information is a type of personal data that is particularly sensitive and vulnerable to misuse. For this reason, the GDPR indicates the rules on how to manage a data breach.
The GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed“.
In case of a data breach, companies must notify the relevant authorities within 72 hours and take steps to mitigate the harm caused by the breach. If there is a real danger to people’s privacy and identity, companies must notify them too. In general, the notification must include the nature of the breach, the personal data affected, and the steps being taken to mitigate the damage.