Skip to content
Case studiesPricingSecurityCompareBlog
GlossaryCountry guidesChecklistsROI Calculator

Europe

Americas

Oceania

Back to glossary

Personally Identifiable Information

PII (Personally Identifiable Information) refers to any data that can be used to directly or indirectly identify a specific individual. It includes names, addresses, social security numbers, biometric data, and any combination of elements that can lead to identification.

The concept of PII is a cornerstone of data protection frameworks worldwide. It encompasses two categories: direct identifiers (full name, passport number, social security number) that can identify a person on their own, and indirect identifiers (date of birth, postal code, occupation) that, when combined, can enable identification. The European GDPR uses the broader concept of 'personal data', which covers PII and extends further to include online identifiers and location data.

In KYC and compliance workflows, PII is at the heart of every identity verification. Businesses necessarily collect PII โ€” copies of identity documents, proof of address, bank details โ€” to meet their regulatory obligations. This creates a constant tension between the need to verify and the duty to protect: every stored PII element represents a potential liability in the event of a data breach.

International regulations (GDPR in Europe, CCPA in California, LGPD in Brazil) impose strict obligations for PII processing: documented legal basis, limited retention periods, technical and organisational security measures, and access and deletion rights for data subjects. Modern verification solutions like CheckFile.ai minimise PII exposure by extracting only the necessary data fields and not retaining document copies beyond the verification process.

Regulations

GDPRCCPALGPD

Real-world examples

  • 1An identity verification provider classifies fields extracted from a passport โ€” name, date of birth, document number โ€” as PII and applies AES-256 encryption for storage, with automatic deletion after 90 days.
  • 2A California-based fintech receives a CCPA request from a user wanting to know all PII held about them: it must provide a complete inventory including KYC data, login history, and verification metadata.
  • 3An HR department automates the anonymisation of PII for unsuccessful job candidates 6 months after the recruitment process closes, in line with data protection authority recommendations on candidate data retention.

Automate your compliance

Discover how CheckFile simplifies document verification for your organisation.