What is Personally Identifiable Information (PII)?
Personally identifiable information (PII) is any data that can identify a specific individual, either directly or in combination with other data points.
That definition is simple. The governance challenge behind it is not. PII does not sit quietly in one place. It originates in application code, flows through ORM mappings and transformation pipelines, lands in warehouses and BI tools, and feeds AI models. Every step along that path represents a point where sensitive data can be exposed, misclassified, or lost from governance view. Most organizations know they have PII governance requirements. Fewer have the lineage coverage to meet them.
The root problem is architectural. Traditional governance tools read from query logs and warehouse metadata. They see PII at the layer where data lands, not at the layer where it is defined. The fields that constitute PII in your organization are specified in application code: ORM mappings that define what a user record contains, Python workloads that ingest and reshape customer data, Java applications that process transactions involving personal information. Those definitions exist in source code. Query-log-based governance tools cannot see them.
Deterministic lineage changes this. By analyzing source code directly, rather than inferring relationships from usage logs, deterministic lineage traces each PII field from its origin through every transformation to its final consumption point. That trace is exact, not probabilistic. It is the difference between governance that approximates where sensitive data goes and governance that can demonstrate, to a regulator or an auditor, exactly where it went.
For most enterprises, the coverage gap is significant. Research across organizations using query-log-based tools shows lineage coverage of 30 to 50 percent of actual data flows. That gap is where PII exposure lives. Application layers, cross-platform transformations, and Python pipelines account for a substantial portion of PII movement in modern data environments. If those layers are invisible to your governance tool, your PII governance is structurally incomplete regardless of how carefully you manage the warehouse layer.
How PII relates to adjacent terms
Protected health information (PHI) is a subset of PII specific to healthcare. PHI is defined by HIPAA and includes medical records, treatment history, and health-related identifiers. PHI has stricter handling requirements than general PII under most frameworks, and organizations in healthcare or adjacent industries must govern it under a separate compliance regime.
Personal data is the term used under GDPR. It is broader than many U.S. definitions of PII and covers any information that can identify a natural person, including pseudonymized data in some contexts. Organizations operating across jurisdictions must account for the definitional differences between personal data under GDPR and PII under U.S. frameworks such as CCPA.
Sensitive data is the operational category that encompasses PII, PHI, and additional fields your organization designates as requiring restricted handling, such as financial account numbers, biometric data, or internal employee records. Sensitive data governance is the practice of tracking and controlling all of these fields.
Each of these categories carries a different regulatory definition and a different governance requirement. What they share is the same underlying technical problem: they flow through application layers that most governance tools cannot see.
Why PII governance matters for compliance leaders
Compliance with GDPR, CCPA, HIPAA, and other privacy frameworks requires knowing, precisely and quickly, every path through which PII travels. That is not a documentation exercise. It is a technical requirement. Regulators and data subjects who submit deletion requests do not accept approximations.
Three compliance scenarios make the technical requirement concrete. A GDPR data subject access request requires producing a complete record of where an individual's data was collected, how it was processed, and where it traveled. A CCPA deletion request requires locating and removing PII from every system and pipeline where it appears. A regulatory audit of an AI model requires demonstrating that the personal data used to train or operate the model was governed at every step. Each of these scenarios fails when lineage is incomplete.
When lineage does not cover the application layer, compliance teams face a choice between two bad outcomes: manual reconstruction, which takes weeks and is still not complete, or submitting incomplete responses to regulators, which creates enforcement exposure. Neither is acceptable. The organizations that handle privacy compliance efficiently are the ones whose lineage is always current and covers the full stack.
Related glossary terms
Frequently asked questions about personally identifiable information
What is the difference between PII and personal data under GDPR?
PII is the term used under U.S. frameworks including CCPA. Personal data is the GDPR equivalent and is broader: it includes any information that can identify a natural person, including pseudonymized data in some circumstances. Organizations operating across both frameworks must apply the stricter definition when in doubt, and their lineage coverage must be complete enough to support both regulatory regimes.
Why is warehouse-level lineage insufficient for PII governance?
PII originates in application code, ORM mappings, and transformation pipelines before it ever reaches a warehouse. Query-log-based governance tools see only what executes in the warehouse. The definitions that determine which fields constitute PII, and the transformations those fields undergo before reaching the warehouse, exist in source code. Governance tools that cannot analyze source code produce lineage coverage of 30 to 50 percent of actual data flows, leaving the majority of PII movement outside governance view.
How does deterministic lineage support GDPR deletion requests?
A GDPR deletion request requires locating every system and pipeline where an individual's PII appears. Deterministic lineage, derived from source code analysis, traces each sensitive field from its origin through every transformation to its final destination. That trace is exact, not inferred from query history. When a deletion request arrives, compliance teams can produce a complete map of where the data traveled without manual reconstruction, and can verify that deletion was complete.
<script src="https://cdnjs.cloudflare.com/ajax/libs/gsap/3.8.0/gsap.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/gsap/3.8.0/ScrollTrigger.min.js"></script>
<script>
// © Code by T.RICKS, https://www.timothyricks.com/
// Copyright 2021, T.RICKS, All rights reserved.
// You have the license to use this code in your projects but not to redistribute it to others
gsap.registerPlugin(ScrollTrigger);
let horizontalItem = $(".horizontal-item");
let horizontalSection = $(".horizontal-section");
let moveDistance;
function calculateScroll() {
// Desktop
let itemsInView = 3;
let scrollSpeed = 1.2; if (window.matchMedia("(max-width: 479px)").matches) {
// Mobile Portrait
itemsInView = 1;
scrollSpeed = 1.2;
} else if (window.matchMedia("(max-width: 767px)").matches) {
// Mobile Landscape
itemsInView = 1;
scrollSpeed = 1.2;
} else if (window.matchMedia("(max-width: 991px)").matches) {
// Tablet
itemsInView = 2;
scrollSpeed = 1.2;
}
let moveAmount = horizontalItem.length - itemsInView;
let minHeight =
scrollSpeed * horizontalItem.outerWidth() * horizontalItem.length;
if (moveAmount <= 0) {
moveAmount = 0;
minHeight = 0;
// horizontalSection.css('height', '100vh');
} else {
horizontalSection.css("height", "200vh");
}
moveDistance = horizontalItem.outerWidth() * moveAmount;
horizontalSection.css("min-height", minHeight + "px");
}
calculateScroll();
window.onresize = function () {
calculateScroll();
};let tl = gsap.timeline({
scrollTrigger: {
trigger: ".horizontal-trigger",
// trigger element - viewport
start: "top top",
end: "bottom top",
invalidateOnRefresh: true,
scrub: 1
}
});
tl.to(".horizontal-section .list", {
x: () => -moveDistance,
duration: 1
});
</script>
See how Foundational traces PII across your entire stack
Deterministic lineage from source code gives your compliance team the complete, always-current picture of where sensitive data lives and travels.
See how Foundational traces PII across your entire stack
Deterministic lineage from source code gives your compliance team the complete, always-current picture of where sensitive data lives and travels.
See how Foundational traces PII across your entire stack
Deterministic lineage from source code gives your compliance team the complete, always-current picture of where sensitive data lives and travels.