What Counts as Personally Identifiable Information?

We frequently discuss the importance of keeping PII—personally identifiable information—secure, but what does this include? What data qualifies as PII?

Here, we’re going to lock down on a definition (and you may be surprised by what this definition covers).

PII Varies, Depending on Who You Ask

Before PII can be protected effectively, you need to know what data can and should be classified as such. The thing is, it all depends on who you ask.

For instance, while the United States generally only identifies a few dozen identifiers in the legislation that is in place, other places have far more nebulous definitions of what constitutes personally identifiable information. The European Union, Brazil, China, and certain US states like California and Virginia all effectively count anything that can be used to identify an individual…even if the data only contributes to the identification. The General Data Protection Regulation sees race, political opinion or affiliation, religion, and sexual orientation as PII, but the California Consumer Privacy Act does not.

This all makes it challenging to not only define PII, but also to determine how it should be managed…and in response, some areas are staged to crack down on the information collection policies that companies utilize. Five states in the US are poised to hold companies more accountable regarding their data collection and use practices—and it appears that regulators are following suit. After hiring a moving and storage company that attempted to sell servers and hard drives but failing to dispose of about 15 million customers’ PII, Morgan Stanley Smith Barney was fined $35 million.

How to Avoid Fines Like These

First, you need to be sure that you’re abiding by all regulations that your area and industry dictate. Taking these considerations into account from the very beginning and shaping your data handling practices around them will make your compliance simpler to ensure.

Additionally, it is important that you test your protections regularly—both to keep data safe and to ensure that the data cannot be used to identify the individual.

It is also important that you protect your data and access to it through a variety of other safeguards, like encryption both in transit and while at rest, identity and access management, and role-based access control.

We can assist you in implementing all of the above, and more. Reach out to us at (610) 683-6883 to learn more about what we can do.

November 7, 2022
Shawn Kramer