What is Sensitive Personal Data for GDPR?

The GDPR (General Data Protection Regulation) came into effect on May 25th 2018. It imposes the toughest data privacy and security laws anywhere in the world on any organisation that targets or collects data related to people in the EU.

Personal data is at the core of these stringent regulations. GDPR defines personal data as:

“‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’).”

This refers to any information that’s related to a specific person which may include their name, address or even their physical appearance. The GDPR states that the processing of personal data is only lawful if it complies with at least one of six defined conditions.

But under the GDPR there are certain specific forms of personal information classed as ‘sensitive personal data’ which are required to be afforded greater protection. In this article, we look at these specific forms of personal data and how to establish compliance.

What is Sensitive Personal Data?

Sensitive personal data refers to a group of ‘special categories’ of personal information which are required to be handled with extra security and strictly in compliance with specific legal restrictions. Personal data that reveals the following is classed as ‘sensitive’:

  • Racial or ethnic origins
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health data
  • Data concerning a persons sex life or sexual orientation

Personal Data vs Sensitive Personal Data

As noted, the GDPR defines personal data as information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This means that personal data is information related to an individual that enables them to be identified, either directly or indirectly, from one or more identifiers or from factors specific to that individual.

The GDPR also makes a clear distinction between direct identification information and pseudonymised data. Pseudonymisation may, for example, replace personal names with unique identifiers such as membership numbers. But pseudonymisation doesn’t alter the status of the data which is still considered personal as it can still be attributed to a specific person.

Sensitive personal data is anything that falls into any of the previously listed ‘special categories’ such as race, ethnic origin, political opinions etc. The sensitive nature of this information means that it must be handled and processed with higher levels of protection due to its sensitivity.

Handling Sensitive Personal Data

In order to handle and process sensitive personal data, a lawful basis must be identified under Article 6 of the GDPR and a separate condition for processing under Article 9.

Article 6 of the GDPR (lawfulness of processing) defines 6 conditions. Processing of such data is only lawful if at least one of these conditions is met.

Article 9 of the GDPR (processing of special categories of personal data) states that processing personal data that reveals specific personal attributes is prohibited unless at least one of the defined criteria is met. These 10 conditions are summarised as:

  1. Explicit consent
  2. Employment, social security and social protection (if authorised by law)
  3. Vital interests
  4. Not-for-profit bodies
  5. Made public by the data subject
  6. Legal claims or judicial acts
  7. Reasons of substantial public interest (with a basis in law)
  8. Health or social care (with a basis in law)
  9. Public health (with a basis in law)
  10. Archiving, research and statistics (with a basis in law)

It is necessary to have determined the conditions for processing sensitive personal data before processing is commenced and this must be documented. Also, a data protection impact assessment must be carried out for any processing which may be high risk.

Some of these conditions require adherence to additional conditions and safeguards defined in UK law and in many cases an ‘appropriate policy document’ must be in place to meet the requirements of a UK Schedule 1 condition for processing in the DPA 2018 (data protection act 2018).

5 Tips for Sensitive Personal Data Compliance

Ensuring compliance with the specific requirements regarding ‘sensitive personal data’ may be causing concern in your organisation. Here are 5 tips that will help ensure you are in a good position.

1. Make Certain You Know What ‘Sensitive Personal Data’ Is

We hope that this guide has helped you understand exactly what ‘sensitive personal data’ is in the context of GDPR and what your organisation needs to do when handling and processing this information. Ensuring that you, your colleagues and those involved in data processing are fully acquainted with GDPR requirements will make a valuable contribution to your GDPR compliance plan.

2. Audit Your Organisation’s Data Handling

Do you know what forms of personal and possibly sensitive personal data are currently captured, stored and used by your organisation? An important step toward GDPR compliance is understanding all aspects of the data handled and processed by your organisation. Documenting detailed data flow information will help identify areas where GDPR compliance issues may exist.

3. Verify the Legal Basis for Data Processing

An important part of your data handling audit should identify the specific legal basis for processing any forms of ‘sensitive personal data’. Refer to Article 9 of the GDPR to see the complete list of 10 conditions.

4. Create Your GDPR Compliance Plan

Having gathered all the information you need you should now have determined which of your current policies and practices need to be addressed. This will allow you to draft a plan and prioritise the actions you need to take to make your organisation fully compliant.

5. Consult with GDPR Experts

A highly effective approach is to employ the services of experienced GDPR experts. For some organisations, the additional burden required to meet GDPR compliance can be too much to handle, but GDPR compliance can’t be ignored. Employing the services of GDPR experts who have already helped other organisations like yours, assess their current statuses and put procedures and practices in place to make them compliant, is a practical way forward.

6. Concluding Summary

GDPR compliance can be a headache and the handling of ‘sensitive personal data’ can be confusing and challenging. It’s essential that your organisation is handling all personally identifiable information and especially sensitive personal data in full compliance with GDPR requirements. An effective strategy is to consult with data compliance experts at Riverbank IT Management who have the experience and expertise you need.