Assure your customers their data is safe with you
Protect your customers and your business with
the Data Trust Platform.
Organizations need to embed privacy into their systems and processes to gain an advantage and gain customer trust. But first, they need to understand the sensitive data they have, and how to classify it. This means they need to learn to separate their PI from their PII. This guide explains the differences between each of these terms.
In the case of a data breach, organizations who have mishandled or improperly retained their customers' personal information can find themselves in a precarious position. If they have failed to identify the personal information they hold on their customers, they may lack visibility into the scale of the damage. If they haven't had data minimization strategies in place, a greater number of current and former customers can be affected.
When organizations have poor data management practices, their customers' data privacy is often an afterthought, rather than adopting a proactive framework where privacy is built into systems, technologies, policies, and processes. Such an approach is often referred to as Privacy by Design.
A key part of such an approach is to understand the sensitive data you have, so a level of knowledge about the types of data and the terminology used is a must. This post will help build that baseline knowledge, by outlining what the terms mean both in general and for specific legislation.
Before we do that, let's take a quick look at Privacy by Design.
Implementing a Privacy by Design approach has many benefits, including allowing for early identification and remediation of potential privacy risks, far better than learning about these risks only once they have been exploited. By adopting this approach you can feel more confident in meeting your privacy compliance requirements.
Having a continuous data inventory with data classification and data minimization policies is an essential part of a proactive Privacy by Design approach. This is where monitoring Personally Identifiable Information (PII) across your systems can help you locate and classify data with PII and ensure it is not retained longer than required.
Now we understand the importance of Privacy by Design and data inventories, we need to understand the terminology.
Let's first take a look at some of the specific privacy terms used that are often used interchangeably: Personal Data, Personal Information, Personally Identifiable Information and Sensitive information.
There is a lot of overlap in the terms across jurisdictions and they all cover common ground, but let's start by looking at the high-level differences.
When referring to Personal Data, many privacy professionals will be referring to the processing of information as related to the EU’s General Data Protection Regulation (GDPR). Personal Data is broad in scope and means any information that is clearly about a particular person.
GDPR Article 4, gives the following definition for “personal data”:
'Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
GDPR sets out special categories of personal data that includes:
Many different jurisdictions refer to Personal Information rather than Personal Data, such as the Australian Privacy Act and the California Consumer Privacy Act (CCPA). Although PI and PD are more alike than not, there are subtle differences between these definitions in different jurisdictions. For example, the GDPR specifies online identifiers such as IP addresses and cookie identifiers are personal data. The Australian Privacy Act does not specifically address IP addresses and cookie identifiers in personal information.
The Australian Privacy Act defines 'personal information' as:
Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
The term ‘personal information’ in the Australian Privacy Act context encompasses a broad range of information and the Act does specify types of PI:
The more recent California Consumer Privacy Act maintains a broad definition of “personal information”, defining personal information as a broad category of all kinds of data:
“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
CCPA includes the following categories of personal information:
For a full rundown of the privacy legislation landscape across the United States, check out this informative infographic from the International Association of Privacy Professionals (IAPP).
Personally Identifiable Information (PII) terminology is used by both government and corporations and generally speaking, it is information that can be used on its own or combined with other information to identify, contact, or locate a single person, or to identify an individual in context.
A term more commonly used in the United States, the US Office of Privacy and Open Government, defines PII as:
“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
The National Institute of Standards and Technology (NIST) Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), lists the following examples of PII data.
While not limited to these, the following table contains some specific pieces of PII that can be scanned for in the RecordPoint Data Trust Platform.
Across all jurisdictions, it is key to note that PD, PI and PII can range from sensitive and confidential information to information that is widely publicly available.
Sensitive information is a subset of Personal Information. Most jurisdictions' definitions of sensitive information align, but they each have slight differences in language.
The GDPR classifies certain types of information as sensitive data, which is subject to specifically defined processing conditions. Sensitive data includes information that could cause harm to an individual if used for identification and malicious purposes.
This regulation defines Sensitive Personal Information to mean information or an opinion about an individual’s:
Often referred to as CCPA 2.0 and an amendment of the CCPA, this regulation defines Sensitive Personal Information to include:
Understanding all these terms and how they may intersect or differ is a key part of a Privacy by Design approach. Organizations who embed privacy into their systems and processes will have a strategic competitive advantage, as well as generating trust among their customer base.
View our expanded range of available Connectors, including popular SaaS platforms, such as Salesforce, Workday, Zendesk, SAP, and many more.
Get scalable identification of PII, PCI, duplicate records, and ROT across all your data
Protect your customers and your business with
the Data Trust Platform.