Personally identifiable information (PII) is any data that can be used to an identify an individual. This applies whether the data is sufficient to identify someone on its own or if it can be used to do so when combined with some other information. So this can be a direct identifier such as a driving licence or National Insurance number, or an indirect one such as a date of birth or postcode that would need something else to identify a person.
But what does this mean for businesses that may potentially be involved in the storage of sensitive details?
Organisations are collecting more data than ever before. This is partly down to changes in technology such as increased mobile usage, Internet of Things devices, but also to changes in lifestyle including greater reliance upon e-Commerce and social media.
All of this has led to an explosion in the volume of data being collected. This ‘big data’ is valuable to businesses and government organisations as analysis of it can offer insights into behaviour and allow long term planning and more effective marketing.
But, of course, if the information is valuable to businesses then it’s also valuable to hackers and cyber criminals. Data breaches can lead to large volumes of personal data being exposed and this is damaging to the reputation of the business as well as potentially landing it with a hefty fine. It’s no surprise then that regulatory bodies around the world are seeking to tighten the controls surrounding the use and holding of PII.
As we said in the introduction, PII comes in two forms depending on whether it can directly identify an individual. These can be categorised as sensitive and non-sensitive PII.
Sensitive data would include an individual’s full name and address, passport and driving licence data, medical records, credit card and bank information. This isn’t a full list but you get the idea. If businesses need to share information about their customers, for example for marketing purposes, they usually do so in an anonymised form. This means encrypting and obfuscating the data so that it is shared in a form that can’t identify any individuals, or that only includes details, such as name and address, sufficient for the purpose of the exercise.
Non-sensitive PII includes items such as postcodes, gender, date of birth, place of birth and so forth. Much of this is publically available via directories or online. The key factor here is that these details on their own can’t be used to identify an individual. However, when linked to other data, this non-sensitive information could identify someone. As such, it still needs to be treated with care. Although one piece of data may be insufficient to identify someone, several together may be enough to do so.
The rapid growth of big data has led to a consequent increase in legislation aimed at protecting consumer privacy. Governments around the world either already have, or are planning to implement, data protection legislation.
Best known is probably the EU’s General Data Protection Regulation (GDPR) that was introduced in 2018. Various US states are also implementing similar legislation. The difficulty for business with all of this is that definitions of PII vary around the world. It’s also the case that if you have customers in a particular jurisdiction, you have to abide by its rules. For example, if you hold PII on EU citizens, you need to follow the GDPR rules, even if your business is based outside of the EU.
The importance of data is not going to decline, so it will remain a major concern for both businesses and governments in the future.
Of course, it’s also a concern for individuals. High profile data breaches such as the Cambridge Analytica/Facebook scandal and the British Airways breach are making people more aware of the fact that their personal data has value. This is not only value to companies but also to cyber criminals, with stolen details appearing for sale on the dark web.
There is, of necessity, a trade-off here. As individuals, we worry about how our data is being used and whether it is being properly protected. The other side of the coin, however, is that we like the personalised offers, ticketless check-ins and responsive customer service that big data can enable.
As people become aware as to how and where their data is used, this is likely to bring increased pressure on those who are custodians of it. If a company has suffered a breach or appears to be using data in an irresponsible way, then there is a likelihood that people will seek to take their business elsewhere and deal with organisations that are taking a more responsible and, crucially, more transparent approach to the use of PII.