← MUTANT WORK

What Is PII? A Plain English Guide to Personal Identifiable Information

Published 4 July 2026 · 5 min read · By Richard Brereton

PII stands for Personally Identifiable Information. It's any piece of data — or combination of data — that can be used to identify a specific living person. Understanding what counts as PII is essential for anyone handling data at work, building software, or using AI tools.

What Counts as PII?

Direct identifiers

These identify someone on their own, without needing additional information:

Indirect identifiers

These can identify someone when combined with other information:

Special category data

Under UK and EU GDPR, certain categories of PII receive stronger protection because of the sensitivity of the information:

Key point: Data doesn't have to identify someone by name to be PII. A dataset containing someone's postcode, date of birth, and employer can identify them uniquely even without a name attached.

Why PII Matters

Organisations that handle PII have legal obligations under data protection law — in the UK under UK GDPR and the Data Protection Act 2018, and in the EU under EU GDPR. These laws require organisations to:

Failures can result in fines (up to £17.5 million or 4% of global annual turnover under UK GDPR), regulatory enforcement, and reputational damage.

PII and AI Tools

One of the fastest-growing sources of PII exposure is AI tool usage. When staff paste documents, emails, or records into ChatGPT, Copilot, or Claude, they often include personal data without realising it. Under GDPR, this constitutes sharing personal data with a third party — and requires a legal basis and often a Data Processing Agreement to be lawful.

The safest approach is to scan and redact PII before it enters any AI tool. Mutant Data Safety Layer does this automatically — it identifies PII in pasted text and replaces it with typed placeholders before you copy the content into an AI prompt. The scan runs entirely in your browser, with no data sent anywhere.

→ Scan for PII — Free

Frequently Asked Questions

Is an email address PII?

Yes. An email address is a direct identifier — it can identify a specific person on its own and is classified as personal data under GDPR.

Is a company name PII?

No, a company name is not PII on its own. However, information about a specific person at a company — their name, role, email, or direct phone number — is PII.

What is the difference between PII and personal data?

PII is the US-centric term used in frameworks like CCPA and HIPAA. Personal data is the equivalent term used in GDPR. The definitions are similar but not identical — GDPR's definition of personal data is broader and includes any information that relates to an identifiable person, including online identifiers.

How do I check if a document contains PII?

Mutant Data Safety Layer scans pasted text for over 12 categories of PII including emails, phone numbers, NI numbers, bank details, NHS numbers, and postcodes — all locally in your browser with no upload required.