Personally Identifiable Information (PII) is any data that can be used, either on its own or in combination with other information, to identify a specific individual. This includes direct identifiers such as names, social security numbers, and email addresses, as well as quasi-identifiers like date of birth, postal code, or job title that, when combined, can uniquely identify a person.
While the term PII originates from US privacy frameworks such as NIST SP 800-122, it overlaps significantly with the GDPR concept of personal data. Organisations operating across jurisdictions must understand the nuances between these definitions, as the GDPR's scope is broader and includes online identifiers and location data. Proper PII handling requires classification, access controls, encryption at rest and in transit, and documented retention and deletion procedures.