What is Personally Identifiable Information (PII)?

Pandectes GDPR Compliance app for Shopify - What is Personally Identifiable Information (PII) - cover

Table of Contents


Personally identifiable information (PII) refers to any data that can be used to identify a specific individual’s identity. This includes sensitive data, such as medical records, financial account information, passport numbers, driver’s license numbers, and social security numbers. With the growing reliance on technology, PII is increasingly being stored and transmitted electronically, making it vulnerable to data breaches and identity theft. In this article, we will explore what PII data is, how it is used, and the best practices for protecting it.

What is considered PII?

PII includes any information that can be used to identify a specific individual. This may include their name, home address, phone number, email address, date of birth, birthplace, mother’s maiden name, and passport number, among other personal identifiers. Additionally, PII can include biometric records, such as fingerprints or facial recognition data, and other sensitive information, such as medical history and financial account information.

What is PII under General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a set of regulations enacted by the European Union that governs personal data collection, storage, and transmission. Under the GDPR, PII is defined as any information that can be used to identify a specific individual’s identity alone or in combination with other relevant data. The GDPR also includes specific provisions for protecting sensitive PII, such as biometric data and medical records.

GDPR: Approaches for protecting Personally Identifiable Information (PII)

Under the GDPR, there are two approaches for protecting PII: sensitive and non-sensitive.

Sensitive PII

Sensitive PII refers to any information that, if compromised, could result in serious harm to an individual, such as financial or medical information. The GDPR requires that sensitive PII be treated with extra care, including additional security measures and stricter access controls.

Non-sensitive PII:

Non-sensitive PII refers to information that, if compromised, would not result in serious harm to an individual, such as their name or email address. The GDPR still requires that non-sensitive PII be treated with care and that proper security measures are in place to protect it.

Sensitive vs. non-sensitive PII:

It’s important to note that the distinction between sensitive and non-sensitive PII is not always clear-cut. Depending on the context, even seemingly innocuous information, such as an individual or driver’s license number or age range, could be considered sensitive if used to identify a specific individual.

Who is responsible for safeguarding PII?

In most cases, the organization or entity that collects an individual’s PII is responsible for safeguarding it. This may include corporations, healthcare providers, financial institutions, and government agencies. However, individuals are also responsible for protecting their own PII by being vigilant about who they share it with and how it is stored and transmitted.

Pandectes GDPR Compliance app for Shopify - What is Personally Identifiable Information (PII) - Man

Personally Identifiable Information (PII) in privacy law

There are several laws and regulations that govern the collection, storage, and transmission of PII. These regulatory guidelines include the Privacy Act, which regulates the collection and use of PII by federal agencies, and the GDPR, which applies to all organizations that process PII of EU citizens.

PII laws and regulations

Other relevant regulations include the National Institute of Standards and Technology (NIST) guidelines, which provide a framework for protecting PII, and the specific industry regulations that apply to healthcare providers, financial institutions, and other organizations that handle sensitive data.

What laws protect PII?

Numerous laws and regulations protect personally identifiable information, both in the United States and globally. In the US, the Privacy Act of 1974 is a federal law that regulates the collection, use, and disclosure of personally identifiable information collected even by the government.

In addition, the Health Insurance Portability and Accountability Act (HIPAA) regulates the use and disclosure of personal health information. Other federal laws, such as the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act (COPPA), also protect PII.

At the global level, the European Union’s General Data Protection Regulation (GDPR) regulates the collection, use, and disclosure of personal data within the EU. The GDPR also has extraterritorial jurisdiction, which means that it applies to any organization that collects or processes the personal data of EU residents, regardless of where the organization is based.

Creating a data privacy framework

To protect PII from data leaks, organizations should create a data privacy framework that includes policies, procedures, and technical controls to safeguard sensitive data. This may include encrypting sensitive data stored on servers, limiting access to PII, and regularly reviewing and updating security protocols to ensure they remain effective.

How is PII used in identity theft?

Identity theft is a serious concern in today’s digital age, and it can occur when a criminal obtains your personally identifiable information (PII) and uses it to impersonate you. PII is valuable to identity thieves because it allows them to access your financial accounts, open new credit accounts, apply for loans, and engage in fraud. Once an identity thief has your PII, they can wreak havoc on your life by damaging your credit score, causing you to lose money, and even leading to legal troubles.

Some common ways identity thieves steal PII include hacking into databases, phishing scams, and stealing physical or electronic documents. For instance, an identity thief might obtain your credit card information by skimming your card at a gas pump or ATM. Alternatively, they could send you a fake email that looks like it’s from your bank, asking you to provide your login credentials or personal information.

How stolen PII is used

Once an identity thief has obtained your PII, they can use it in several ways. Opening new credit accounts is one of the most common uses of stolen PII. This can result in considerable debts in your name, which you may only be aware of once it’s too late. Identity thieves can also use your PII to take out loans, apply for government benefits, and obtain medical care. They can also use your identity to commit crimes, resulting in arrest or legal trouble.

Tips on protecting PII

You can take several steps to protect your PII and reduce the risk of identity theft. Some of the most important tips include:

  1. Be careful with your personal information: Don’t share your PII unless it’s absolutely necessary. Avoid giving out your Social Security number, credit card number, or other sensitive information unless you’re dealing with a trusted organization or individual.

  2. Use strong passwords: Make sure your passwords are strong and unique and avoid using the same password across multiple accounts.

  3. Keep your software up to date: Ensure your operating system and antivirus software are up to date to prevent hackers from exploiting vulnerabilities.

  4. Monitor your accounts: Keep an eye on your bank and credit card statements, and immediately report any suspicious activity to your bank or credit card company.

  5. Shred sensitive documents: When you no longer need sensitive documents like bank statements or credit card offers, make sure to shred them before disposing of them.

What qualifies as PII?

PII can include any information that can be used to identify a specific person. This can consist of names, addresses, Social Security numbers, driver’s license numbers, passport information, phone numbers, and email addresses. PII can also include biometric data like fingerprints, facial recognition data, and iris scans. Generally, any data that can be used to identify a person uniquely can be considered PII.

Pandectes GDPR Compliance app for Shopify - What is Personally Identifiable Information (PII) - Kid

Children’s protection

Parents must protect their children’s PII by limiting the personal information they share online. Parents should also ensure that their children know the potential dangers of sharing too much information on the internet.

Regarding children’s PII, some examples may include their name, age, gender, date of birth, school, grade level, and any other information that can identify them. Additionally, parents should be aware of the risks of using social media platforms that collect personally identifying information, such as Facebook or Instagram.

Parents should always review the privacy policies of websites and apps their children use and ensure that their children understand what information they are sharing online. Parents should also teach their children to be cautious of requests for their personal information, such as their phone numbers, addresses, or photos.

Consider convenience and privacy

In today’s digital world, people increasingly trade their privacy for convenience. When people use social media platforms or online services, they often have to provide personal information to access these services. However, individuals must weigh the convenience of using these services with the potential risk of sharing their personal information.

Individuals should always read the privacy policies of any online services they use and understand what personal information is being collected and how it is used. Individuals should also be cautious of requests for personal information and only provide it when necessary.

Personally Identifiable Information vs. Personal Data

While the terms “personally identifiable information” and “personal data” are often used interchangeably, they are not necessarily the same. Personally identifiable information (PII) is information that can be used to identify a specific individual, while personal data is any information that relates to an identified or identifiable person.

Personal data can include information such as a person’s name, address, email address, phone number, social media profiles, and any other information that can identify a person. However, personal data can also include information such as a person’s browsing history, location data, and other sensitive data about online activity.


In today’s digital world, the protection of personally identifiable information is essential. Numerous laws and regulations protect PII, both in the United States and globally, including the Privacy Act of 1974, HIPAA, and the GDPR. Organizations and individuals must take steps to protect PII, including creating a data privacy framework, using PII security best practices, and educating employees and customers about the risks of sharing personal information.

Protecting PII requires a collaborative effort, and regulatory bodies, organizations, and individuals must work together to ensure that PII is safeguarded against data breaches and identity theft. By taking a proactive approach to protecting PII, individuals and organizations can ensure that sensitive information remains secure and confidential.

Make your Shopify Store GDPR/CCPA compliant today
Pandectes GDPR Compliance App for Shopify
Subscribe to learn more

You Might Also Like

Scroll to Top