What is the difference between personal data and sensitive data, and how should an organisation handle them differently?
The distinction between these two terms is important, given that the General Data Protection Regulation (GDPR) prohibits the processing of sensitive data outside of certain conditions.
Personal data vs sensitive data
“Personal data” refers to any data that can be used or combined with other data to identify a person (or “data subject”). This includes information such as a person’s full name, email address, phone number or credit card details.
“Sensitive data” (or “special categories of data”, as it is referred to in Article 9 of the GDPR) includes information about a data subject’s:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Health-related data
- Genetic data
- Biometric data (which is collected to uniquely identify the person)
- Sex life or sexual orientation
Clearly, the types of sensitive personal data listed above are intimate in nature and could be used to blackmail, discriminate against or damage the reputation of the individual in question.
An organisation may be permitted to process sensitive data if one of the following grounds for processing applies:
- The data subject gives their explicit consent for an organisation to process their sensitive personal data, with exception to European Union or Member State laws that prevent the data subject from doing so.
- It’s necessary for either the organisation or data subject to carry out their obligations or exercising their rights under employment, social security and social protection law.
- It’s necessary to protect the data subject’s vital interests (i.e. matters of life or death), who are physically or legally unable to give consent.
- The organisation is a not-for-profit body with a political, philosophical, religious or trade union aim, provided that the processing only relates to members or to former members of the body or people who have regular contact with it in connection with its purposes, and that the personal data are not disclosed outside that body without the consent of the data subjects.
- The data being processed has been made public by the data subject.
- It’s necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity.
- It’s necessary for reasons of substantial public interest.
- It’s necessary for the purposes of preventative or occupational medicine, for the assessment of an employee’s health; medical diagnosis; the provision of health, social care or treatment; or the management of health or social care systems and services on the basis of Union or Member State law or according to a contract with a health professional.
- It’s necessary for reasons of public interest regarding public health, such as protecting against cross-border health threats and ensuring high standards of healthcare, medicinal products or medical devices.
- It’s necessary for archiving reasons in the public interest, or scientific and historical research and statistics.
The GDPR also notes that Member States may “maintain or introduce further conditions, including limitations” around the processing of genetic, biometric or health-related data.
In addition to complying with the GDPR’s key data processing principles, companies that process sensitive data on a large scale will need to hire a Data Protection Officer (DPO) and implement tighter security measures to ensure this information is adequately protected.
A major part of understanding the General Data Protection Regulation (GDPR) compliance requirements is learning the terminology, and it’s the small details that can lead to huge infringements if left unchecked.
To avoid attracting a fine or putting people’s privacy at risk, all organisations should carefully and continuously review their privacy practices to ensure they remain in compliance with the latest regulation.
Is your business GDPR-ready?