Every SaaS application, every customer database, every HR system holds data that could identify a real person. Names, email addresses, national insurance numbers, IP addresses, biometric records — the list is long and growing. Regulators call it personally identifiable information (PII), and mishandling it is no longer a theoretical risk.
The expanding definition of PII
Under GDPR, PII includes any data that can directly or indirectly identify a natural person. That means even a combination of seemingly harmless fields — postcode, date of birth, job title — can become PII when linked together. The UK Data Protection Act 2018 takes a similarly broad view, and new regulations in the US and APAC are following suit.
- Direct identifiers: full name, passport number, NHS number, email address
- Indirect identifiers: IP address, device fingerprint, location data, cookie IDs
- Sensitive PII: health records, biometric data, racial or ethnic origin, political opinions
- Emerging PII: behavioural patterns, voice prints, gait recognition data
Why SMEs are disproportionately affected
Large enterprises have dedicated data protection officers, legal teams, and security budgets. SMEs often handle the same categories of data with a fraction of the resources. The result is a compliance gap that regulators are increasingly willing to punish — the ICO issued fines to 34% more small organisations in 2024 than the year before.
“The biggest misconception we see is that PII protection is an enterprise-only problem. In reality, a 20-person fintech holds data that's just as sensitive as a bank's.”
— Moiz Hussain, Founder & CEO
The cost of getting it wrong
Beyond regulatory fines — which can reach £17.5 million or 4% of global turnover under GDPR — a PII breach triggers a chain of operational damage. Mandatory breach notifications within 72 hours, forensic investigation costs averaging £125,000, customer churn rates that spike by 30–40% in the quarter following disclosure, and reputational harm that compounds over years.
Key takeaway
PII protection is not a checkbox exercise. It requires continuous, automated scanning across every system that touches personal data — from production databases to staging environments to third-party integrations.
Moving from reactive to proactive
The traditional approach — annual audits, manual data mapping, spreadsheet-based risk registers — cannot keep pace with modern development velocity. Teams deploy multiple times per day, spin up new microservices weekly, and integrate third-party APIs continuously. Each change is a potential new PII exposure point.
Automated PII detection at the infrastructure level catches exposures as they happen, not months later during an audit. By scanning at the kernel level with eBPF, tools like easyPII can identify PII flows in real-time without impacting application performance — typically adding less than 10ms of latency per request.