Legal Definition for 'Personal Data' under GDPR
Any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
"Generally Accepted" definition for PII
"PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."
| Personally Identifiable Information (PII) | Personal Data |
|---|---|
| Not a legal term, but commonly used in business. | Legal term defined by the GDPR. |
| Patchwork of laws by various levels of government and organizations. May provide redundant protection or conflict with each other. | Single set of laws created and administered by a single governing body, applicable to all EU member states; Iceland, Liechtenstein, and Norway; and EU trading partners. |
| May regulate only specific kinds of information privacy and data access depending on line of business, government department, etc. | Regulates all facets of information privacy and use, from medical to commercial to personal. |
| Most commonly used in the United States. | Most commonly used in the European Union. |
| Definitions and examples vary by regulation. | Definition and examples are explicitly defined in the GDPR. |
| Laws and enforcement are provided by each organization or government. | Provides a unified approach to data security and privacy enforcement. |
| May or may not include non-sensitive information, depending on the regulation. | Includes non-sensitive information, depending on context, if it can be used to identify an individual. |
| Individual rights vary depending on the regulation. May or may not cover all potential individual rights regarding data. | Under GDPR, data-subjects have:
|
Non-PII or Non-personal data
Non-personal data is also defined in the GDPR, most simply as information that does not enable identification of an individual. More specifically, it outlines that such data may have been anonymized, or may never have been sensitive to begin with.
The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.