We recently discussed what counts as personal data under the EU General Data Protection Regulation (GDPR); however, we didn’t cover sensitive personal data.
Before we get into what that entails, let’s recap the GDPR’s definition of personal data:
“‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’).”
In other words, any information that is clearly about a particular person. In certain circumstances, this could include anything from someone’s name to their physical appearance.
Sensitive personal data is a specific set of “special categories” that must be treated with extra security. These categories are:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data; and
- Biometric data (where processed to uniquely identify someone).
Sensitive personal data should be held separately from other personal data, preferably in a locked drawer or filing cabinet. As with personal data generally, it should only be kept on laptops or portable devices if the file has been encrypted and/or pseudonymised.
Pseudonymisation masks data by replacing identifying information with artificial identifiers. Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.
Encryption also obscures information by replacing identifiers with something else. But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.
Pseudonymisation and encryption can be used simultaneously or separately.
A common misconception about the GDPR is that all organisations need to seek consent to process personal data. In fact, consent is only one of six lawful grounds for processing personal data, and the strict rules regarding lawful consent requests make it generally the least preferable option.
However, there will be times when consent is the most suitable basis, and organisations need to be aware that they need explicit consent to process sensitive personal data.
Nuances like this are common throughout the GDPR, and any organisation that hasn’t taken the time to study its compliance requirements thoroughly is liable to be tripped up. This could lead to lasting damage, from enforcement action and regulatory fines to bad press and loss of customers.
You can avoid the pitfalls of non-compliance by reading EU GDPR – A Pocket Guide. Written by Alan Calder, IT Governance’s founder and executive chairman, this book will help you gain a clear understanding of the GDPR, explaining:
- The terms and definitions used in the Regulation;
- The most important compliance requirements; and
- How organisations can comply with the GDPR.