Learn about the key differences between two types of data 'personal data' and 'sensitive data' in this all-encompassing guide from Metomic.
When it comes to complying with GDPR, you will need to differentiate between personal data and sensitive, or special category data, in order to put the right security measures in place.
While personal data must be protected from a legal and ethical standpoint, special category data requires enhanced security as unauthorised access can lead to harm or discrimination to an individual or an organisation.
With enforced GDPR fines totalling a cumulative amount of just under €4,500,000,000 in April 2024, it’s become more important than ever to ensure compliance with the law.
Personal data is information that relates to an identifiable person, such as PII.
Under GDPR, the types of personal data could include:
Sensitive data warrants more legal protection because it is classed as vulnerable and can be used to cause harm to individuals and organisations.
As outlined in Article 9 of GDPR, organisations handling sensitive or special category data will need to navigate enhanced restrictions, potentially carrying out a Data Protection Impact Assessment (DPIA) due to the high risk associated with this type of data.
Becky White, Senior Data Protection and Privacy Solicitor at Harper James, says, ‘GDPR sets out specific rules pertaining to ‘special category’ data because it recognises that certain types of personal information are particularly sensitive and require extra protection. GDPR treats this kind of information differently due to several reasons that are inherent such as the increased risk of discrimination, or the fact that this information can involve deeply personal aspects of an individual’s life and could lead to social, financial or emotional harm.
‘By treating special category data differently, GDPR aims to strike a balance between protecting individuals' privacy rights and allowing necessary data processing for legitimate purposes such as healthcare, research, or employment, while minimising the risks associated with the misuse of this particularly sensitive information. There are separate rules that apply to personal data regarding criminal allegations, however, the list does not include financial data which although potentially highly sensitive and confidential in nature, does not raise the same fundamental issues.’
Some types of sensitive or special category data include:
It’s important to note that personal data isn’t always sensitive, and vice versa. However, if sensitive data can be connected to an individual, it will become personal data.
The key differences lie in:
While personal data such as a name or address might not be considered sensitive on its own, there are specific types of personal data that could cause harm to an individual if the data was accessed by an unauthorised user. For example, healthcare records with details of illnesses, and medications, could be damaging for an individual, if released.
A data breach or leak containing sensitive information will be more severe for an organisation and the individuals affected, than one containing personal data. It could lead to financial losses, identity theft, and reputational damage which can be long lasting.
Personal data is often covered by regulations such as GDPR or CCPA, and will need to be handled according to their guidelines. However, sensitive data will often be held to stricter requirements such as HIPAA, due to the nature of the data.
Both personal and sensitive data are held in various locations within a business. This could be in databases such as CRM systems, or HR tools, as well as on employee devices such as laptops or phones, if the data is downloaded or stored in an app.
While some organisations may opt for on-premises servers to store data, many with remote workers may choose cloud environments for data storage, including personal and sensitive data. If data is kept in physical formats, it should be stored effectively to prevent unauthorised users opening files, or accessing USB drives.
There are also third-party service providers that organisations may use to handle their data processing, and these can store data on behalf of a company. It’s vital that companies carry out due diligence on any third-party providers, and they should also ensure there are data backups in place for disaster recovery.
GDPR establishes different rules for personal and sensitive or special category data within the EU and EEA. Individuals are given greater protection under GDPR, as organisations are required to gain explicit consent before processing their personal or sensitive data, and maintain transparency on what their customers’ data is used for. They also need to ensure that the rights of their data subjects are honoured, giving them the right to access, amend, and erase personal data.
When it comes to sensitive or special category data, information such as religious beliefs, biometric data, political opinions, and genetic data must be protected with enhanced security measures. It must only be processed under special circumstances, including if someone’s life is at risk or if there are serious public health concerns.
Stuart Snape, Managing Partner at Graham Coffey & Co. Solicitors says, ‘Put simply, GDPR is there to acknowledge and protect the fundamental rights of individuals to the protection of their data as a means of protecting fundamental rights and freedoms. It is notable that the right to a private life is explicitly outlined in Article 9.
‘It is also important to consider that the protection of sensitive data is a vital step in preserving Article 14 under the Human Rights Act - Prohibition of Discrimination. It is no coincidence that the list of potential grounds for discrimination under the convention are mirrored in the types of sensitive data protected by GDPR.’
It takes a holistic approach to data security to ensure that personal and sensitive data is adequately protected. Here are a few measures you can take:
It is also important to have a comprehensive privacy policy in place to outline how personal data will be processed, so that customers are fully aware of their data protection rights.
Metomic helps you detect and protect the data that matters to your organisation, aligning your business with the requirements of GDPR.
Book a personalised demo with one of our data security experts to see how secure your ecosystem really is.