Skip to main content
Data Profiling

PII Detection: How to Find Personal Information Hidden in Your Datasets

Personal data often hides in unexpected columns of CSV files. PII detection scans for names, emails, phone numbers, SSNs, and more before a compliance issue arises.

You received a vendor export. It was described as "product inventory data." Three columns into the profile, you find a column full of customer email addresses. Another has what looks like partial credit card numbers. No one flagged it as sensitive — because no one looked. That's the hidden PII problem.

PII (Personally Identifiable Information) detection is the process of scanning a dataset to identify columns that contain personal information — names, emails, phone numbers, social security numbers, addresses, dates of birth, and other data that could identify an individual.

Why PII Hides in Unexpected Places

Datasets are assembled, exported, and shared without systematic review. A "sales transactions" export that was supposed to contain only order IDs and amounts might also include a customer name column that the person exporting didn't notice. Vendor-supplied files often include more personal data than necessary. Legacy datasets accumulate PII from systems that no longer exist.

Sohovi automatically detects PII in your datasets — emails, phone numbers, SSNs — all processed client-side so your data never leaves the browser.

GDPR and CCPA both impose requirements on how PII is handled — including requirements that you know what personal data you hold. Discovering PII in a dataset after a breach is significantly worse than discovering it during a routine profile.

What PII Detection Looks For

Obvious PII by column name — Columns named "email", "phone", "ssn", "dob", "first_name", "last_name" are strong signals.

Pattern-based detection — Values matching email format, phone number patterns, SSN patterns (XXX-XX-XXXX), credit card patterns, or IP address formats indicate PII regardless of column name.

Named entity detection — More sophisticated detection identifies first and last name patterns, address patterns, and other personally identifiable structures in free-text columns.

Near-PII — Combinations of non-PII fields (zip code + birth year + gender) that together could identify an individual.

Why Column Names Alone Aren't Enough

A column named "identifier" might contain email addresses. A column named "reference" might contain SSNs. A column named "notes" in a free-text field might contain full customer names and addresses embedded in comments. PII detection that only looks at column names misses a substantial portion of actual PII.

Sohovi runs pattern-based PII detection on every column of your uploaded CSV — flagging email patterns, phone patterns, SSN formats, and other personal data indicators regardless of the column name. All detection runs in your browser; your data never leaves your machine.

What to Do When You Find PII

Document it, classify it, and determine whether you have a legal basis to hold and process it. If the PII was unexpected (it shouldn't have been in the dataset), trace how it got there and prevent future occurrences. If it should be there, ensure it's handled according to your privacy policy and applicable regulations.

Finding PII during a profile is far better than finding it during a breach investigation.

Selva Santosh

Data quality, for people who ship

Selva writes practical guides on data quality, profiling, and governance to help teams ship better data.

Start for free

Stop guessing. Start knowing your data quality.

Sohovi profiles your datasets in minutes — surfacing completeness gaps, type mismatches, and duplicate patterns before they reach production.

No credit card required · Free forever plan