Paper

PII Masking and Risk Assessment in Unstructured Text: An NLP-Based Approach

This report presents a university project for our Natural Language Processing and Text Analytics course at Copenhagen Business School, completed by our team: Eduard Aguado, Federico De Marinis, Noe Juarez, and Marco Sburlino. Our objective was to develop an automated system for detecting Personally Identifiable Information (PII) in unstructured text and classifying documents by privacy risk level to support GDPR-compliant data handling. Using the PII Masking 300K dataset, we designed an end-to-end pipeline that included data cleaning, exploratory analysis, BIO-based token labeling, weighted risk scoring, and binary risk classification (Low vs. High). We implemented and evaluated multiple approaches: TF-IDF with Logistic Regression and Multinomial Naive Bayes as baselines, a fine-tuned DistilBERT model for contextual token classification, and GPT-3.5 via API for zero-shot PII extraction. Models were compared using recall, F1-score, and accuracy, with particular emphasis on minimizing false negatives in high-risk cases. DistilBERT achieved the strongest overall performance, demonstrating the advantage of transformer-based architectures for context-aware PII detection and privacy risk assessment in text.

Keywords:

Natural Language Processing

Privacy Risk Classification

PII Detection

TF-IDF

BERT

GPT -3.5

MMarco SburlinoEEduard Aguado MarinFFederico De MarinisNNoe Juarez·Published May 2025

Built With

Python

Natural Language Processing

Topics

Cybersecurity

Logistic Regression

TF-IDF

Naive Bayes

BERT

LLMs

References

AI4Privacy. 2023. PII Masking 300K Dataset. https://huggingface.co/datasets/ai4privacy/pii-masking-300k.

Devlin, Jacob, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2019. “BERT: Pre-Training of Deep Bidirectional Transformers for Language Understanding.” Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, 4171–86. https://aclanthology.org/N19-1423.

European Parliament and Council. 2016. Regulation (EU) 2016/679 (General Data Protection Regulation). Https://gdpr-info.eu/.

“Fraud and Extortion Risk After Cyberattack on Legal Aid Agency.” 2025. The Times. https://www.thetimes.co.uk/article/legal-aid-agency-cyberattack-pii-breach.

Kulkarni, Poornima, and Cauvery N K. 2021. “Personally Identifiable Information (PII) Detection Using Machine Learning and Rule-Based Techniques.” International Journal of Advanced Computer Science and Applications (IJACSA) 12 (9): 470–76. https://thesai.org/Downloads/Volume12No9/Paper_57-Personally_Identifiable_Information_PII_Detection.pdf.

Lample, Guillaume, Miguel Ballesteros, Sandeep Subramanian, Kazuya Kawakami, and Chris Dyer. 2016. “Neural Architectures for Named Entity Recognition.” Proceedings of NAACL-HLT, 260–70.

Manning, Christopher D., Prabhakar Raghavan, and Hinrich Schütze. 2008. Introduction to Information Retrieval. Cambridge University Press. https://nlp.stanford.edu/IR-book/.

Mohammedi, Manou. 2023. “Anonymizing Text with NLP: Strategies and Techniques for Ensuring Data Privacy.” Medium. https://medium.com/@manou.mohammedi/anonymizing-text-with-nlp-strategies-and-techniques-for-ensuring-data-privacy-598a99598b3a.

OpenAI. 2025a. GPT-3.5 Turbo Model Details. https://platform.openai.com/docs/models/gpt-3.5-turbo.

OpenAI. 2025b. OpenAI API Models Overview. https://platform.openai.com/docs/models.

Sanh, Victor, Lysandre Debut, Julien Chaumond, and Thomas Wolf. 2019. “DistilBERT, a Distilled Version of BERT: Smaller, Faster, Cheaper and Lighter.” arXiv Preprint arXiv:1910.01108. https://arxiv.org/abs/1910.01108.

U.S. Department of Labor. 2025. Protection of Personally Identifiable Information (PII). Https://www.dol.gov/general/ppii.

World Economic Forum. 2023. The Global Risks Report 2023: 18th Edition. World Economic Forum. https://www.weforum.org/reports/global-risks-report-2023.