Which personal data is considered sensitive under GDPR?

The European Union’s (EU) General Data Protection Regulation (GDPR) is legislation adopted by EU member nations to protect the personal data of EU citizens. The GDPR makes a distinction between personal data and sensitive personal data. 

We’re going to look at which personal data is considered sensitive under GDPR and what additional compliance requirements must be met when collecting or processing it.

Photo by LinkedIn Sales Solutions on Unsplash

GDPR is generally considered to be the toughest data privacy and security law in the world. While it is designed to protect EU citizens, the law applies to all organizations that collect or process those citizens’ personal data, regardless of where those organizations may be located.

Failure to comply with GDPR can result in large financial penalties and the loss of public trust.

GDPR is a technology-agnostic set of regulations that apply whether data is processed manually or by automated solutions. Personal data that has been made anonymous and can no longer be used to identify individuals is no longer subject to GDPR standards.

In this article:

• Two different kinds of personal data
• Additional requirements for collecting and processing sensitive personal data
• How a data loss prevention solution protects sensitive personal data
• Frequently asked questions

Two different kinds of personal data

Not all personal data is treated the same way according to the guidelines set down by the GDPR. The GDPR differentiates between general and sensitive personal data. Let’s look at the differences between these two categories of protected personal information.

Photo by Tranmautritam via Pexels

General personal data

The GDPR defines personal data as any information that is related to an identified or identifiable living individual. Pieces of information that may, in themselves, not be considered personal data — but that can collectively be used to identify an individual — are also categorized as personal data.

Examples of personal data include:

• An individual’s first and last name
• A person’s home address
• The IP address of their computer or home WiFi router
• Email addresses
• Identification numbers such as those on a driver’s license or Social Security card
• Medical records that uniquely identify an individual

Sensitive personal data

Article 9 of the GDPR defines the categories that comprise sensitive personal data that can only be processed under more stringent conditions than general personal data. The categories of sensitive personal data include:

• Information regarding an individual’s racial or ethnic origin
• Data about a person’s political, religious, or philosophical beliefs
• Trade union membership information
• Genetic data
• Biometric data used to uniquely identify an individual
• Health-related data
• Information about a person’s sexual orientation or sex life

One can see why this data is considered more sensitive than general personal data. Most of the information classified as being sensitive can be used to discriminate against individuals in ways that an address or ID number cannot. Protecting individuals is the rationale behind treating sensitive personal data differently.

To learn more about the difference between the two, check out the short video below:

Additional requirements for collecting and processing sensitive personal data

GDPR prohibits the processing of sensitive personal data unless it meets the guidelines under Articles 6 and 9 of the regulations.

Article 6 defines the lawful reasons that sensitive personal data may be collected and processed. They include:

• The data subject has consented to the processing of their personal data
• Processing is necessary to fulfill a contract with the data subject
• Processing is required to comply with a legal obligation
• Processing the information protects the data subject’s vital interests
• Processing is necessary to perform a task in the public interest
• Processing is required to address the legitimate interests of a data controller

Article 9 defines the reasons that sensitive personal data can be processed. They include many of the same provisions justifying lawful processing outlined in Article 6. Additional reasons defined in Article 9 include:

• The data subject has consented to the processing
• Processing is required for employment or social security
• The data has already been made public by the data subject
• Processing is necessary for preventative or occupational medicine
• Processing addresses the public interest regarding public health

Photo by Christopher Gower on Unsplash

How a data loss prevention solution protects sensitive personal data

A data loss prevention (DLP) solution is an essential component of a comprehensive strategy to protect sensitive personal data subject to GDPR guidelines. The strategy begins with an organization developing a data handling policy that conforms to GDPR standards. (Want to assess the performance of your DLP tool and ensure the accuracy of your policies? Use our DLP Policy Testing Tool.) 

A modern DLP solution, like the Reveal Platform by Next, can automatically enforce the policy to ensure that data is handled appropriately throughout the organization.

Reveal puts next-gen agents powered by machine learning on the endpoint to identify and categorize data at the point of risk. Reveal’s cloud-native, multi-tenant platform prohibits unauthorized users from accessing sensitive personal data and maintains GDPR compliance. 

The tool also provides real-time user training and promotes a security-conscious workforce that reduces the risk of data breaches.

Protect your valuable data resources from intentional or accidental misuse; talk to the data loss prevention experts at Next today and book a demo to see the tool in action.

Photo by Sigmund on Unsplash

Frequently asked questions

Will encrypting sensitive personal data eliminate the need to follow GDPR compliance guidelines?

Data that has been encrypted or pseudonymized may still be considered personal data if the process can be reversed and the information used to identify a person. For example, it’s usually possible to decrypt encrypted data with the right software. This fact makes it vitally important to categorize data correctly and ensure that it can only be accessed by authorized personnel.

Why is sensitive personal data treated differently?

The type of data categorized as sensitive personal data can be used by malicious entities to discriminate against an individual in ways general personal data cannot. Intolerant groups can use racial or religious affinity against an individual. Though an ID number may identify a person, it does not pose the same degree of danger if it is disclosed.

Can individuals rescind their consent to have sensitive personal data processed?

Yes, they can. Article 7.3 states that a data subject has the right to withdraw their consent at any time. It should be as easy to withdraw consent as it is to give it. If data subjects withdraw consent, the applicable information must be removed and can no longer be processed by the data controller.