Finding PI and Not Just PII
Privacy demands redefining what data qualifies as personal.
Historically, regulations dealing with personal data like HIPAA, PCI and Breach Response defined personal data by specific types of PII (Personal Identifiable Information). PII was exact and uniquely identifiable. However, regulations like GDPR and CCPA broadened the definition of what is personal to include data that is not just uniquely personal, but is personal because it is in the context of a person.
For instance, a written date in and of itself is not personal. However, when it’s a birthday – it is.
Similarly, a geolocation is not explicitly personal. It is only personal if it can be associated with a person’s Web or mobile session. Examples of data that may be considered personal abound: session keys, IP addresses, cookies, passwords, click streams, gender and more can be characterized as personal when it is by or about a person.
Legacy data discovery technologies whether classification or catalog based were not made for identifying PI. Being pattern-based, they could on occasion discern what the data was but not whether it belonged to a person. That requires an ability to understand both content and context and the ability to trace a piece of data’s connection to a person.
One of BigID’s bigger ideas is that identity matters in data discovery.
BigID therefore remains the only vendor purpose-built from the ground-up to be able to identify what data is personal, even if only contextually personal. This is essential for meeting data right requirements in GDPR and CCPA – and it’s also essential for locating other kinds of sensitive data that are sensitive because of their relationship to other data.