What is Personal Identifiable Information (PII)?

Topics: Cyber Liability Small Business

Personal identifiable information is data relating to an identified or identifiable natural person, such as an ID number, location data, online identifier (like an IP or MAC address) or other specific factors. Experian explains personal identifiable information (PII) as “any piece of information meant to identify a specific individual.” PII includes unique identifying data such as a Social Security number, driver's license number, financial accounts, email addresses, login credentials and passwords, addresses, phone numbers, and birth date.

Types of Personal Identifiable Information

PII can be designated as sensitive or non-sensitive. Sensitive data is information that is can be damaging to an individual if it is lost or stolen such as employee personnel records, tax information, passport information, credit and debit card numbers, banking accounts, email addresses, internet account numbers, passwords and biometric information. Non-sensitive data is information that can be shared openly, including birth date, address, religion, ethnicity, sexual orientation, IP addresses, and business and public personal phone numbers.

PII and the GDPR

The protection of PII is the core of the General Data Protection Regulation (GDPR). The GDPR explicitly directs organizations to protect personal identifiable information (PII) of all “data subjects” of the European Union and United Kingdom. The protection of the PII data (and penalties associated with data breach of it) are rights held by the data subject and are enforceable inside and outside of the European Union and United Kingdom. The GDPR requires evidence of the protection measures a business has in place as PII data is collected, processed, stored or transmitted. The law also requires the specific consent of data subjects for a business to collect, process, store or transmit their data.

A data subject is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an ID number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The GDPR further defines the data subject as a resident of the European Union and United Kingdom. In some circumstances, such as a Canadian living in the European Union or United Kingdom, the protections of the GDPR would be extended to that data subject’s PII information. In other words, the GDPR’s protections extend the rights of European Union and United Kingdom residents living outside the region.

Ian Thompson-Trump, Head of Cyber Security at AmTrust International, explains how PII is described in the GDPR, “Recently, PII data has also been referred to collectively and colloquially as “sensitive data” however the GDPR goes to great lengths to define PII data so in the interests of clarity (and legality) when referring to data under the GDPR’s protection requirements we choose to use the term PII data.”

PII Protections Under the GDPR

As mentioned previously, the GDPR requires protection and evidence of the protection measures a business has in place as PII data is collected, processed, stored or transmitted. GDPR requires the ability to identify when PII data is exposed in an unprotected state and requires specific consent of data subjects for a business to collect, process, store or transmit their data.

Under the GDPR, individuals have control over their personal data and its use, such as the right for the individual to request that their data be deleted (the right to erasure), a right to object to processing and the right to data portability – in electronic form. This means that a person could request a copy of all data that a business holds about them in a commonly used and machine-readable format, so they can provide it to a different company. Also, individuals must be informed about any automated decision-making processes in the company’s privacy notice. Individuals will also have the right to object to automated decision-making, meaning that organizations must have a non-automated alternative.

PII and the Insurance Industry

The GDPR is both a challenge and an opportunity for the insurance industry. Data collected or processed outside of EU residents’ home country must have protections compliant with the GDPR. Even insurers with no operations or presence in the EU are subject to the GDPR to the extent that they offer services to individuals located in the EU. However, not all insurance organizations use personal data in the same way or for the same purposes.

Insurance companies often need to process sensitive personal data to underwrite risks and provide claims handling and other insurance related services. Much of the personal data that insurers hold about individuals is sensitive in nature, particularly information about a person’s health or medical treatment. These “special categories” of personal data cannot be processed unless the individual has given explicit consent to that processing, or in certain other limited circumstances, none of which readily apply to the insurance industry.

The HIPAA Journal explains that because of the importance put on the concept of consent, organizations should be mindful of the following in order to be compliant to GDPR laws:
  • Data subjects must be made fully aware of what they are giving their consent to.
  • Consent is applicable only for the use of data for a specific purpose. This purpose must be clearly defined and explained to the data subject.
  • Obtaining consent for marketing materials from checking a “tick” box is no longer acceptable. Data subjects need to make an action to give their consent.

Learn More About How to Protect Personal Data

AmTrust Financial explored the impact of the GDPR on small businesses, including the insurance industry in the U.S., in our recent white paper “What is the GDPR? The Impact on the Insurance Industry and Small Businesses in the U.S.” Download a copy today to learn more about the many aspects of the data privacy law that affects how we share and store PII and personal data.

This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors. Coverages may vary by location. Contact your local RSM for more information.

Time Zones