Personal Data, PII, Sensitive Data and the GDPR

If your organization collects, uses or stores the personal data of people in the EU, then you will need to comply with the General Data Protection Regulation’s (GDPR’s) privacy and security requirements or face large fines. This means you need to know what “personal data” in the EU, personally identifiable information (PII) in the U.S. and “sensitive personal data” involve. Personal data is any piece of information that can be used to identify a living person in addition to name, for example, email or physical address, phone number, fingerprints, I.D., IP address, photographs, social media posts or location data. PII, on the other hand, has a limited scope of data that includes only name, address, birth date, Social Security number and banking information. All PII can be personal data but not all personal data is considered PII. Sensitive personal data can include racial or ethnic origin, political opinions, health-related data, religious or philosophical beliefs, sexual orientation, and genetic and biometric data. Sensitive personal data generates the highest risk and greatest harm to the individual if breached, and the GDPR has enhanced requirements for its protection and processing.  Although consent is only one of six lawful grounds for processing personal data, explicit consent is needed to process sensitive personal data.