PII governance and the identity gap teams are missing

TL;DR: PII now includes not only names and government IDs but also device identifiers, geolocation, and behavioural data, with the article tracing how privacy law and risk thinking expanded from the 1970s to GDPR and CCPA. The practical lesson is that identity, access, retention, and masking decisions must track re-identification risk, not just obvious fields.

NHIMG editorial — based on content published by Netwrix: An All-in-One Guide to Personally Identifiable Information (PII)

By the numbers:

• According to the IBM Cost of a Data Breach Report 2024, the average cost of a breach is $4.45 million.

Questions worth separating out

Q: How should organisations classify data that may become PII when combined with other records?

A: They should classify it by re-identification potential, not by the label on the source field.

Q: Why do SaaS and cloud environments make PII harder to govern?

A: Because personal data is often copied, joined, and reused across tools that were not designed as one privacy boundary.

Q: What do security teams get wrong about non-sensitive PII?

A: They often assume it is harmless because it is not obviously confidential.

Practitioner guidance

• Classify by linkage potential, not just by field name Review datasets for combinations that can identify a person when joined with other records, including device IDs, location trails, and behavioural logs.
• Separate sensitive PII from general business data paths Put stricter access logging, encryption, and approval steps around sensitive PII workflows than around low-risk contact data.
• Apply retention limits to re-identifiable datasets Delete or archive data that no longer needs to exist, especially exports, backups, and analytics copies that can be matched back to people.

What's in the full article

Netwrix's full blog covers the operational detail this post intentionally leaves for the source:

• The article’s field-by-field examples of direct and indirect PII for compliance mapping and data cataloguing.
• The privacy-law context around GDPR, CCPA, HIPAA, and how these definitions differ by jurisdiction.
• The handling distinctions between sensitive and non-sensitive PII for access control, logging, and retention design.
• The article’s practical examples of how non-PII can become PII once datasets are combined.

👉 Read Netwrix's guide to personally identifiable information and PII handling →

PII governance and the identity gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →