Data privacy is important to all of us. We value it in our personal lives, and we want to protect it when using the internet for business or pleasure. One thing that can sometimes lead us astray is what information constitutes PII (Personally Identifiable Information). It’s not always clear how much information should be considered PII. For example, if you know someone’s phone number but not their name – does this constitute PII? What about their IP address? This article will help clarify what exactly counts as personally identifiable information and give you some tips to protect your privacy online.
What is PII?
The most common definition of Personally Identifiable Information is any information that can be used to identify who you are, alone or when used with other relevant data. This includes, but is not limited to: full name, username or handle, biometric records, email address, home address and phone number. It also can include some digital identifiers like IP addresses or cookies, which have been set by particular websites on your computer.
When we talk about personally identifiable information, there are two different types of information that can be used to identify someone. The first type is direct identifiers. This includes any piece of sensitive data that can directly link you back to your personal identities – such as name, social security number, or email address.
The second type consists of an indirect online identifier, which includes any information that could lead someone to your identity after further investigation. An example of this is an IP address or location data, which can be linked back to the location where you’re connecting from (and therefore identify you).
What is PII in cybersecurity?
In cybersecurity, PII is any information about an individual that can be used in a harmful way to the person. These types of data are stored in a database and often sold on the dark web by hackers or cybercriminals who have illegally obtained it from databases owned by government agencies, businesses, or private individuals. This kind of data might include items like someone’s address, phone number, date of birth, etc.
Is PII Always Personal?
When we talk about protecting our data privacy online or offline, it’s important not to get too caught up in the semantics of what’s defined as “personal” or not. The most important thing to remember is that anything which could lead someone back to your identity can be considered personally identifiable information if you’re trying to protect yourself online.
This means that even though it might seem like a stretch, for example – an IP address is counted as a personal information because anyone with that IP address could be identified by the ISP (Internet Service Provider) who provided it.
What is non-PII?
Non-PII is any data that cannot be used to identify who you are. This includes things like your age, gender or ethnicity. It also could include any non-unique identifiers, such as the MAC addresses of the devices that connect to your home network (which can’t be traced back to a person).
What is personal data?
The definition of personal data is more relevant when we talk about how companies collect and use our information. Personal data is a piece of information that relates to any identifiable natural person or is used to identify someone or infer their preferences, behaviours or characteristics – either explicitly or implicitly.
As an example: A website could track the pages you visit (and therefore infer your interests) in order to make targeted advertising more relevant to you.
Personal data security
Personal data security is about protecting the confidentiality, integrity and availability of personal information. This means that it’s important to prevent unauthorised access to your sensitive data or to tamper with it in some way that could lead to fraudulent use. An example would be if someone was able to intercept an email containing your credit card details – allowing them to make purchases under your name.
Difference between PII and personal data
Generally, personally identifiable information is any sensitive data that could lead someone back to your personal identity. This includes things like direct identifiers (such as name or address) – but also indirect ones which can be used to infer someone’s behaviour.
On the other hand, personal data refers more to how companies use this information in order to provide a service or make an online purchase. This includes things like your credit card number or browsing history, which could be tracked to make targeted advertising bring more relevant data to you.
Why should you care about PII?
The definition of PII is complex and can be different depending on the organisation you’re dealing with. The most important thing to know, however – is that anything which could lead someone back to your identity should be considered as sensitive information which needs data protection from unauthorised access. This means things like passwords or social security numbers should be treated as personally identifiable information no matter what.
It’s also important to understand that the data you’re providing online doesn’t just belong to companies who are collecting it – but is yours and should therefore only be shared on your terms (or not at all). This means being careful with how much information you share publicly or through social media because it’s free for anyone to use and could be used against you in the future.
What is PII compliance?
PII compliance does not relate to one document. It is a concept that is defined by individual authorities in various countries, as part of privacy regulations all over the world to enforce PII protection.
PII compliance may have different definitions when it comes to specific compliance requirements, fundamentals are more or less the same. This compliance could be EU GDPR, UK GDPR, CCPA (California), The Privacy Act (Australia) or other privacy compliance in various countries.
To protect against data theft and other cybercrimes, companies need to be PII compliant. This means they should have a clear policy in place – which includes how it will collect personal information from individuals, what this is used for and how it’s stored.
There should also be regular checks of all security systems, including passwords, physical security, software updates and network access.
If you are concerned about the protection of PII held by a company or organisation – it’s important to check their privacy policy for more information on how they protect data. You can also request details of any personal data breaches which have occurred in recent months.
With so many companies collecting our details these days, it’s important to be aware of the risks and take steps to protect yourself. This includes choosing a strong password for each different website or an online account you have – using two-factor authentication where possible and keeping up with software updates that will help patch security holes in operating systems.
PII compliance checklist
The main pillars of a compliance checklist from scratch include classifying the information, setting up a policy to regular auditing.
- Identify and classify PII
- PII policy
- Implement data security and privacy tools to protect PII
- Practice
- Regular auditing and monitoring
How to protect PII under GDPR?
The General Data Protection Regulation (GDPR) is a new set of rules that were designed specifically to protect the privacy rights of citizens of EU. The good news for anyone outside of Europe is that many GDPR principles will be adopted by other countries over time – but it’s important to know what they are and how you can use them in order to protect yourself.
The general data protection regulation applies to any organisation that does business with EU citizens and can include things like Providing a service or product (regardless of the physical location) Collecting personal data from an individual. The main principle behind protecting PII is about giving individuals control over how their data is collected, stored and used – while ensuring they know who is responsible for it, what’s being done to protect it and that they understand the consequences of sharing their PII.
This means: Providing a privacy policy (and terms & conditions agreement) which outlines exactly how personal data will be used, giving users access to all information collected about them, ensuring companies have appropriate security measures in place – including encryption and anonymisation where possible, notifying users about any data breaches when they are discovered and providing individuals with the right to have their PII removed from a company’s systems.
Tips protect my personal information
You can do a number of things in order to better protect your online privacy – which will not only help keep yourself safe but also help prevent others from accessing your PII or using it in a way that you didn’t intend.
Some of the most important steps include:
1. Making sure all accounts that hold personal information have secure passwords
2. Ensuring any online forms asking for your details are SSL encrypted
3. Using strong anti-virus software for data protection against malware and phishing attacks
4. Not sharing any personal information online that isn’t necessary
5. Not posting photos or videos of yourself which include identifiable landmarks (e.g. your house)
6. Checking privacy settings on social media accounts so you understand who can see what content
7. Using different email addresses for sensitive transactions like banking
8. Keeping your operating systems up to date, so you have the latest security patches and bug fixes
9. Beware of opening suspicious links or attachments from unknown senders
10. Using a VPN when browsing or downloading content online which can help protect against identity theft, hacking and other online threats.
What should I do if my PII has been compromised?
If your personal data gets into the wrong hands, there are a few steps you can take. Some of these include:
1. Changing your passwords and not reusing the same ones for all services (this includes email accounts).
2. Checking your credit report for any unusual activity.
3. Using an online reputation management service to check for any negative or defamatory content.
4. Asking the website where your personally identifiable information was compromised, how it will prevent this from happening again in future and what steps were taken to inform affected individuals.
5. Seeking legal advice if you believe someone has used your data dishonestly or illegally.
6. Contact the company where you think there has been a data breach and find out what they are doing about it.
7. Inform local law enforcement if you believe any crimes have been committed against you because of the data breach – such as individual’s identity theft or fraud.
Who is Responsible for protecting PII?
The company that collects your personal data is responsible for keeping it secure and taking the appropriate steps to protect against identity theft or other cybercrimes.
If you believe any of your PII has been used without permission, stolen from a website breach, stored insecurely online or lost in another way – take action as soon as possible by speaking with the company where it was collected.
If you are unhappy with how they have handled your data or believe there hasn’t been enough done to protect against future security risks, report them to local enforcement agencies – such as Trading Standards in the UK and Federal Trade Commission in America.
Are your PII security measures effective?
Get in touch to discuss if you are measuring the effectiveness of your PII controls and protecting PII of your staff and customers.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.
