Sensitive personal data and GDPR: examples and differences (2024)

What is sensitive data?

Sensitive dataalso known as special category data or sensitive personal datais confidential information that you should only make available to people who have the right permissions to access it.

Data is not considered sensitive if it’s:

  1. Already publicly known and available, or
  2. Organisational information that you regularly share in or outside your organisation

But whattypes of personal data are considered sensitive? Let’s find out.

What are some examples of sensitive data?

  • Racial or ethnic origin
  • Political beliefs or religious beliefs
  • Genetic or biometric data
  • Mental health or sexual health
  • Sexual orientation and sex life
  • Possession of lack of trade union membership
  • Financial information
  • Criminal convictions and offences

You’ll need to store sensitive data like this separately from other personal data. And, when you store it digitally, you’ll also need to encrypt it or remove any personally identifiable markers.

This last point also applies to personal data, but there are also some important differences between the two types of information.

Is sensitive data and personal data the same thing?

In short, no.There are much tougher rules that apply to processing and storing sensitive data.

Personal datais any information that someone could use to identify an individual or establish their physical presence at a location. Things like CCTV footage, fingerprints, physical addresses and phone numbers, for example. So, if you can use a piece of information to identify a data subject, you’re dealing with personal data.

But sensitive data is whole different level. It’s the type of information that could cause harm to an individual if you disclosed it. As such, the regulations protect it on legal, ethical or other relevant grounds.

What are some examples of non-sensitive data?

Even when exploring non-sensitive data, you’ll still need to exercise some caution. Because although some pieces of data aren’t individually sensitive, when combined they could help someone to identify a data subject. Things like:

  • Gender
  • Date of birth
  • Postcode
  • Birthplace
  • Employment status
  • Level of education

This isn't an exhaustive list— non-sensitive personal data can apply to any type of personally identifiable information even if it doesn’t qualify as special category data.

Once you’ve identified sensitive data, you’ll need to determine how sensitive it is. Only then can you work out the level of protection that it needs.

How do you assess data sensitivity?

There are several ways to do this. A key first stepwhen measuring the sensitivity of data is to consider its confidentiality, integrity and availability. In other words, how bad would it be for your data subject (and your business) if this data were released?

Confidentiality

Make sure data is protected from unauthorised access but easily accessible to permitted parties. Some confidentiality countermeasures include:

  • Data encryption
  • Two-factor authentication
  • Passwords
  • Biometric verification

Integrity

Ensure data remains consistent and accurate throughout its lifecycle and thatinformation isn’t changed or tampered with. Some integrity countermeasures are:

  • User access controls
  • Audit logs
  • Backups
  • File permissions

Availability

Make data available when people need it. And make sure you protect it with relevant security controls and using countermeasures like these:

  • Regular software patch management
  • Maintaining a business continuity management system (BCMS) for effective disaster recovery
  • Conducting repairs to hardware as soon as needed
  • Maintaining firewalls and other additional security measures

Okay, great. You’ve assessed the sensitivity of the data your organisation collects! But have you considered the legalities involved when you process it?

What are the conditions for processing sensitive data?

There are six lawful grounds for processing personal and sensitive data: consent, contractual obligations, legal obligations, vital interest, public interest and legitimate interest. These grounds determine if you have a legal basis for processing sensitive data or not.

Article 6 and 9 of the UK GDPR lay down these requirements, and here they are:

  • The data subject must have either:
    • Already made the data public, or
    • Given their explicit consent for its collection/processing
  • Processing must be in the data subject’s best interests if they're unable or incapable of giving explicit consent
  • Processing is required due to a significant public health concern
  • Processing is necessary for the data controller (your organisation) to adhere to employment-related, social security or other obligations
  • Processing is necessary to verify the legitimacy of activities carried out by not-for-profit organisations or foundations

If you don’t stay up to date with the compliance requirements for processing sensitive data, your organisation could be liable for damages.

What are the consequences of the unauthorised disclosure of sensitive data?

You need to clearly notify individuals about the data you're collecting, the reasons why, and what you intend to do with it. The UK GDPR states that you have to get the explicit consent of the data subject. You’ll also need to:

  • Notify individuals in case of a data breach
  • Appoint adata-protection officer (DPO)
  • Maintain the anonymity of collected data for the privacy of the data subject

If you don’t, you run the risk of lasting damage to your organisation’s reputation, and regulatory fines and legal action.

Conclusion

Sensitive data requires a higher level of consideration and protection than personal data because its release could potentially harm the data subject.

To avoid compromising the privacy of data subjects, it’s important to be familiar with the compliance requirements outlined by the UK GDPR. By doing so, you’ll be better able to uphold countermeasures that protect the confidentiality, integrity and availability of sensitive data.

Perhaps an outsourced DPO may be the best option for reducing data breach risks and your liability. Connect with one of our experts and improve your approach to processing sensitive data!

Sensitive personal data and GDPR: examples and differences (1)

Originally published updated

Sensitive personal data and GDPR: examples and differences (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Edmund Hettinger DC

Last Updated:

Views: 5711

Rating: 4.8 / 5 (58 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Edmund Hettinger DC

Birthday: 1994-08-17

Address: 2033 Gerhold Pine, Port Jocelyn, VA 12101-5654

Phone: +8524399971620

Job: Central Manufacturing Supervisor

Hobby: Jogging, Metalworking, Tai chi, Shopping, Puzzles, Rock climbing, Crocheting

Introduction: My name is Edmund Hettinger DC, I am a adventurous, colorful, gifted, determined, precious, open, colorful person who loves writing and wants to share my knowledge and understanding with you.