Skip to main content
Privacy & Compliance

How to Find Personal Data Hidden in Your CSV Files

Personal data often hides in unexpected columns of CSV files shared across teams. Here's how to scan for PII before a compliance issue finds it for you.

A bookkeeper received a vendor export described as "transaction data." It contained a column labeled "ref" that, on inspection, held customer SSNs. No one had flagged it. No one had looked. The file had been shared with four people before anyone noticed. That's the hidden PII problem — personal data in places you didn't expect it.

CSV files shared across teams, received from vendors, or exported from legacy systems often contain personal information that wasn't documented, intended, or expected. Finding it proactively is far better than discovering it after a breach or a regulatory audit.

Where Personal Data Hides in CSV Files

Obvious places (easy to find):

  • Columns named "email", "phone", "name", "address", "ssn", "dob"

Less obvious places (where PII actually hides):

  • Columns named "id", "ref", "identifier", "code" that contain SSNs, passport numbers, or other PII encoded as identifiers
  • "notes" or "comments" free-text fields where employees recorded personal details
  • "username" columns that contain email addresses
  • "reference" columns that contain customer contact information
  • Concatenated fields: "address_full" that contains a complete address in one field
  • Log or audit columns that record who did what and when, including user-identifiable information

Sohovi automatically detects PII in your datasets — emails, phone numbers, SSNs — all processed client-side so your data never leaves the browser.

How to Scan a CSV for PII

Column name inspection: Check all column headers for names that suggest personal data. This catches the obvious cases.

Pattern matching: Check column values against known PII patterns:

  • Email pattern: contains @ and a valid domain
  • Phone pattern: 7–15 digits, possibly with formatting characters
  • SSN pattern: XXX-XX-XXXX or 9 consecutive digits
  • Credit card pattern: 16 digits, possibly with spaces or dashes
  • Date of birth: dates in a plausible birth year range

Free-text scanning: For text columns with variable content, look for embedded PII — names, emails, phone numbers mentioned in narrative form.

Sohovi automatically scans your uploaded CSV for PII patterns across all columns — detecting email addresses, phone numbers, SSN formats, and other personal data indicators without your data ever leaving your browser.

What to Do When You Find Unexpected PII

  1. Document the finding: Note which column, what type of PII, and how many records contain it.
  2. Assess the exposure: Who has had access to this file? Has it been stored, forwarded, or shared?
  3. Determine legal basis: Do you have a legitimate reason to hold this PII? If not, it needs to be removed.
  4. Fix the source: If the PII is being included unintentionally (e.g., in a vendor export), request that the vendor exclude it from future deliveries.
  5. Review access controls: Ensure the file is only accessible to people who need it and have a legal basis for seeing it.

Finding PII in a CSV is a starting point, not a crisis — as long as you respond appropriately.

Selva Santosh

Data quality, for people who ship

Selva writes practical guides on data quality, profiling, and governance to help teams ship better data.

Start for free

Stop guessing. Start knowing your data quality.

Sohovi profiles your datasets in minutes — surfacing completeness gaps, type mismatches, and duplicate patterns before they reach production.

No credit card required · Free forever plan