BY Chet Metchalf | 30 June 2021
We often run into confusion surrounding what exactly constitutes personally identifiable information (PII). PII qualifications vary depending on the specific compliance laws and jurisdictions, but generally speaking, PII is simply defined as information used to distinguish individuals from one another. PII pertains to information closely related to each consumer, for example, name, birthdate, social security number, and workplace information.
The key differentiator in how the GDPR and the California Consumer Privacy Act of 2018 (CCPA) define PII is that the CCPA refers to it as “personal information” and the GDPR refers to it as “personal data.”
The CCPA acts as the genesis for state-mandated U.S. compliance laws. And although it does borrow principles from the GDPR, the law distinguishes itself as a heavily consumer-oriented law, giving rights and privileges to individuals. In order to maintain CCPA compliance and GDPR, you will need to understand how PII is defined for each law.
PI as defined by the CCPA § 1798.140: “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
This does not include any information that has been made publicly available by the local, state or federal government.
Identifiers that can reasonably be tethered to a Californian individual or household include things such as a person’s real name, postal address, email address, social security number, driver’s license number, and passport number.
Several indicators go overlooked, but with the prevalence of mobile data collection, businesses should be more vigilant and be aware that IP addresses, geolocations, biometric data, and internet search history — among other data sources — are also classified as personal information.
Personal data as defined by Article 4 of the GDPR: “‘Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Any company that markets or sells goods to EU citizens, regardless of location, is subject to the GDPR. Examples of personal information the law aims to protect include mailing addresses, email addresses, phone numbers, IP addresses, login ID details, social media posts and digital images.
Companies are collecting data about individuals, both directly and indirectly, at a rapid pace and from a range of sources. In order to ensure that PII — in this case, personal information and personal data — is being protected, you will need to understand the big picture of where all this data resides across structured and unstructured sources. Use Enterprise Recon to learn exactly what PII data your company has stored, how it is being used, and most importantly, how it is being protected.
If you are ready to start your data discovery journey, book a demo with a data expert today.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.