PII — Personally Identifiable Information — is one of those terms that gets used constantly in data protection conversations, but is rarely explained clearly. What counts as PII? Does a first name on its own count? What about an IP address? A job title?
This guide answers those questions in plain English, explains how the concept maps to UK GDPR's definition of "personal data," and helps you identify the types of PII your business is likely to hold.
PII vs personal data: what's the difference?
In the UK, the law doesn't use the term "PII" — that's primarily an American legal concept. UK GDPR uses the term personal data, which is defined as:
"any information relating to an identified or identifiable natural person"
An identifiable person is one who can be identified, directly or indirectly — in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to that person's physical, physiological, genetic, mental, economic, cultural, or social identity.
In practice, "PII" and "personal data" are used interchangeably by most businesses. For compliance purposes in the UK, "personal data" is the operative term — and it's deliberately broad.
What counts as personal data?
The key test is whether information relates to an identifiable individual. This is wider than most people assume.
Direct identifiers
These identify someone on their own:
- Full name
- National Insurance number
- Passport or driving licence number
- Email address (personal or work)
- Home address
- Date of birth
- Photograph
- Biometric data (fingerprints, facial recognition data)
Indirect identifiers
These may identify someone when combined with other information:
- First name alone (depends on context)
- Job title (if it's a unique role)
- IP address
- Device identifiers / cookies
- Location data
- Employee ID or customer reference number
- Salary or financial information linked to an individual
- Physical description
The combination test matters. "John" on its own might not be personal data. "John, Head of Finance at [company], salary £65,000" almost certainly is — because the combination identifies a specific individual.
What counts as special category data?
Some categories of personal data are considered more sensitive and receive stronger protection under Article 9 of UK GDPR. These are:
- Health and medical data — including sickness records, disability information, medical history
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (where used for identification purposes)
- Data concerning sex life or sexual orientation
Processing special category data requires both a standard Article 6 lawful basis and an additional condition under Article 9. Most businesses hold some special category data even if they don't realise it — sickness absence records, for example, are health data.
PII your business probably holds
Most SMEs hold more personal data than they initially think. Here's a practical inventory to check against:
Employees and HR
- Names, addresses, dates of birth
- National Insurance numbers
- Bank account details
- Salary and benefits information
- Performance reviews and disciplinary records
- Sickness and absence records (health data)
- Emergency contact details
Customers and clients
- Names and contact details
- Purchase history and account records
- Correspondence and complaint records
Prospects and marketing
- Email addresses and contact details
- Marketing consent records
- Website behaviour data (cookies, analytics)
Website visitors
- IP addresses
- Cookie identifiers
- Form submission data
PII in documents: the hidden challenge
One of the most underappreciated sources of PII in most businesses is documents — PDFs, Word files, scanned contracts, email attachments, invoices. These often contain personal data that isn't tracked in any system and doesn't appear in your CRM or HR platform.
Common examples include a contract with a client's personal address as the signatory address, an email chain containing a customer's health information, a scanned form with handwritten personal details, a spreadsheet with employee salary data shared as an attachment, and an invoice containing a sole trader's personal address.
This is why document-level PII detection matters. A data audit that only covers structured databases will miss a significant proportion of the personal data most businesses hold.
What to do when you find PII
Finding PII in your business documents isn't a crisis — it's normal. The question is whether you're handling it correctly:
- Is there a lawful basis for holding it? If not, consider whether it should be deleted.
- Does it appear in your RoPA? If you're holding it, it should be documented.
- Is it adequately protected? Access controls, encryption, and secure storage apply.
- Is it past its retention period? If so, it should be deleted.
- Should it be redacted before sharing? If a document needs to go to a third party, PII that isn't relevant to that party should be removed.
How Quantra helps with PII identification
Manually reviewing documents for PII is time-consuming and error-prone. The Quantra Agent uses local AI to scan documents for personal data — names, addresses, NI numbers, financial identifiers, health-related terms, and more — across file types, before documents are processed or shared externally.
Learn more about the Quantra Agent →