Do landing pages need privacy policies?
What is the difference between personal data and sensitive data, and how should an organisation handle them differently?
The distinction between these two terms is important, given that the General Data Protection Regulation (GDPR) prohibits the processing of sensitive data outside of certain conditions.
“Personal data” refers to any data that can be used or combined with other data to identify a person (or “data subject”). This includes information such as a person’s full name, email address, phone number or credit card details.
“Sensitive data” (or “special categories of data”, as it is referred to in Article 9 of the GDPR) includes information about a data subject’s:
Clearly, the types of sensitive personal data listed above are intimate in nature and could be used to blackmail, discriminate against or damage the reputation of the individual in question.
An organisation may be permitted to process sensitive data if one of the following grounds for processing applies:
The GDPR also notes that Member States may “maintain or introduce further conditions, including limitations” around the processing of genetic, biometric or health-related data.
In addition to complying with the GDPR’s key data processing principles, companies that process sensitive data on a large scale will need to hire a Data Protection Officer (DPO) and implement tighter security measures to ensure this information is adequately protected.
A major part of understanding the General Data Protection Regulation (GDPR) compliance requirements is learning the terminology, and it’s the small details that can lead to huge infringements if left unchecked.
To avoid attracting a fine or putting people’s privacy at risk, all organisations should carefully and continuously review their privacy practices to ensure they remain in compliance with the latest regulation.