Personally Identifiable Information (PII) is a commonly used term in information security and privacy laws, referring to any non-public information or data that could be used to potentially identify a specific individual and distinguish one person from another. However, it typically refers to a narrow range of data such as name, email address, date and place of birth, passport number, etc.
Meanwhile, in the context of the EU’s General Data Protection Regulation (GDPR), personal data refers to “any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity". Therefore, to better protect the personal data of individuals, GDPR covers a much wider range of data and information that could also include medical history, pictures, social media posts, transaction history, IP address, as well as private, subjective and sensitive data such as religion, political opinions and sexual orientation.
Organisations usually collect and store different types of data and information on data subjects. Even if a single data on its own doesn’t individuate someone, when collected together and used in conjunction with other data, it could become relevant and be used to narrow down a person’s identity. In other words, all PII qualifies as personal data but not all personal data is PII.
Thus, companies are advised to err on the side of caution if they are unsure whether the information that they store is personal data or not. At the end of the day, it is about bringing the concept of privacy as a fundamental human right and draw the accountability of handling this sensitive data by organisations.