What Counts as PII Under GDPR?
People often say 'PII' when they mean personal data under GDPR. The Regulation uses the term personal data, and it is broader than many teams expect. If information relates to an identified or identifiable natural person, it is generally personal data — even without a name, if someone can be singled out indirectly.
The GDPR definition in practice
Under the GDPR, personal data means any information relating to an identified or identifiable person. That includes obvious identifiers (name, email, employee number) and indirect identifiers: IP addresses, device IDs, location data, cookie identifiers where they distinguish a user, and combinations of fields that together identify someone (e.g. job title plus site plus start date).
If you can distinguish an individual from others without disproportionate effort, the data is likely personal data. Anonymised data that cannot be re-linked is not personal data. Pseudonymised data still is, because re-identification remains possible with the key.
Special category and sensitive data
Special categories include racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic and biometric data for ID, health, sex life, and sexual orientation. These need stricter legal bases and extra care in DSAR/SAR responses and redaction. Criminal conviction data has separate safeguards under the GDPR.
Why this matters for redaction
When you disclose documents under a DSAR (also known as a SAR) or to a regulator, anything that identifies or could identify a third party is still their personal data. Redaction is not only about hiding "sensitive" words — it is about preventing identification of anyone other than the data subject where the law requires it.
Tools that detect names, addresses, national identifiers, dates of birth, and similar patterns help scale review, but human judgment remains essential for context (e.g. "my manager" vs a named individual).
PII vs personal data — terminology
"PII" is common in US frameworks (and in security teams). GDPR does not use the term PII. It uses personal data, which is often interpreted more broadly. When your policy says "remove PII," align that with your legal team's reading of personal data and special categories so redaction playbooks match regulatory expectations.
Frequently asked questions
Is PII the same as personal data under GDPR?
GDPR uses the term personal data, not PII. Personal data is often interpreted broadly: any information relating to an identified or identifiable person. Colloquial PII usually means direct identifiers, but GDPR can also cover indirect identifiers and online identifiers when someone can be singled out.
Are IP addresses personal data?
Often yes, when they can distinguish an individual — especially combined with other data the controller holds or can access. Treat IP addresses as personal data unless your DPO or counsel advises otherwise for a specific use case.
Is anonymised data still personal data?
Properly anonymised data that cannot be re-identified (even with extra effort) is not personal data under GDPR. Pseudonymised data still is personal data because re-identification remains possible with the key or additional information.