Personal data or PII




PII or not to PII, that is the question








PII, or personally identifiable information, is used an awful lot to describe something that within the EU-GDPR, DPA2018 (UK-GDPR) is referred to as, personal data.

What is personal data vs PII?

Personal data - means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Art 4(1)).

PII is identified in US law as - information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.  (Office of Management and Budget Guidance for Grants and Agreements, Chapter II, Part 200, Sub-part A, Section 200-79).

Take away points:
  • The focus of EU-GDPR (UK-GDPR/DPA2018) is:
    • To protect the interests of a data subject by regulating the activities of the [data] controller and [data] processor who process data that incorporates personal data, and
    • It is the definition of personal data that in fact triggers the EU-GDPR, and not PII.
There is a bit of confusion however, especially with a number of ISO standards, for example:
  • PII rather than personal data - ISO/IEC 27018:2019 (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).
The final take away point is please ensure that you are using the correct definitions and where ISO standards are concerned read the small print in which acknowledgment is made of 'local' legislation and regulation.

References: CyBOK v1.0; KanSecurity mindmaps; others as shown.

KanSecurity (NL)

Popular posts from this blog

Risk and micro, small business

Risk and Certification

Sleepless nights, and business owners