A bookkeeper received a vendor export described as "transaction data." It contained a column labeled "ref" that, on inspection, held customer SSNs. No one had flagged it. No one had looked. The file had been shared with four people before anyone noticed. That's the hidden PII problem — personal data in places you didn't expect it.
CSV files shared across teams, received from vendors, or exported from legacy systems often contain personal information that wasn't documented, intended, or expected. Finding it proactively is far better than discovering it after a breach or a regulatory audit.
Where Personal Data Hides in CSV Files
Obvious places (easy to find):
- Columns named "email", "phone", "name", "address", "ssn", "dob"
Less obvious places (where PII actually hides):
- Columns named "id", "ref", "identifier", "code" that contain SSNs, passport numbers, or other PII encoded as identifiers
- "notes" or "comments" free-text fields where employees recorded personal details
- "username" columns that contain email addresses
- "reference" columns that contain customer contact information
- Concatenated fields: "address_full" that contains a complete address in one field
- Log or audit columns that record who did what and when, including user-identifiable information
Sohovi automatically detects PII in your datasets — emails, phone numbers, SSNs — all processed client-side so your data never leaves the browser.
How to Scan a CSV for PII
Column name inspection: Check all column headers for names that suggest personal data. This catches the obvious cases.
Pattern matching: Check column values against known PII patterns:
- Email pattern: contains @ and a valid domain
- Phone pattern: 7–15 digits, possibly with formatting characters
- SSN pattern: XXX-XX-XXXX or 9 consecutive digits
- Credit card pattern: 16 digits, possibly with spaces or dashes
- Date of birth: dates in a plausible birth year range
Free-text scanning: For text columns with variable content, look for embedded PII — names, emails, phone numbers mentioned in narrative form.
Sohovi automatically scans your uploaded CSV for PII patterns across all columns — detecting email addresses, phone numbers, SSN formats, and other personal data indicators without your data ever leaving your browser.
What to Do When You Find Unexpected PII
- Document the finding: Note which column, what type of PII, and how many records contain it.
- Assess the exposure: Who has had access to this file? Has it been stored, forwarded, or shared?
- Determine legal basis: Do you have a legitimate reason to hold this PII? If not, it needs to be removed.
- Fix the source: If the PII is being included unintentionally (e.g., in a vendor export), request that the vendor exclude it from future deliveries.
- Review access controls: Ensure the file is only accessible to people who need it and have a legal basis for seeing it.
Finding PII in a CSV is a starting point, not a crisis — as long as you respond appropriately.
