Key Points:

1. Understanding the distinction between personal and sensitive data is crucial for implementing appropriate security measures under GDPR, given the rising frequency and sophistication of cyber attacks.
2. GDPR establishes varying rules for personal and sensitive data, emphasising the need for organisations to prioritise data protection and transparency, particularly regarding sensitive information such as religious beliefs or biometric data.
3. Implementing robust security measures, including stringent access controls, encryption, data minimisation, employee training, regular audits, and due diligence on third-party vendors, is essential to safeguarding personal and sensitive data in compliance with GDPR requirements.

When it comes to complying with GDPR, you will need to differentiate between personal data and sensitive, or special category data, in order to put the right security measures in place.

While personal data must be protected from a legal and ethical standpoint, special category data requires enhanced security as unauthorised access can lead to harm or discrimination to an individual or an organisation.

With enforced GDPR fines totalling a cumulative amount of just under €4,500,000,000 in April 2024, it’s become more important than ever to ensure compliance with the law.

What is personal data?

Personal data is information that relates to an identifiable person. Under GDPR, personal data could include:

1. Names
2. Addresses
3. Phone numbers
4. Social Security Numbers (SSNs)
5. Date of birth

What is sensitive or special category data?

Sensitive data warrants more legal protection because it is classed as vulnerable and can be used to cause harm to individuals and organisations.

As outlined in Article 9 of GDPR, organisations handling sensitive or special category data will need to navigate enhanced restrictions, potentially carrying out a Data Protection Impact Assessment (DPIA) due to the high risk associated with this type of data.

Becky White, Senior Data Protection and Privacy Solicitor at Harper James, says, ‘GDPR sets out specific rules pertaining to ‘special category’ data because it recognises that certain types of personal information are particularly sensitive and require extra protection. GDPR treats this kind of information differently due to several reasons that are inherent such as the increased risk of discrimination, or the fact that this information can involve deeply personal aspects of an individual’s life and could lead to social, financial or emotional harm.

‘By treating special category data differently, GDPR aims to strike a balance between protecting individuals' privacy rights and allowing necessary data processing for legitimate purposes such as healthcare, research, or employment, while minimising the risks associated with the misuse of this particularly sensitive information. There are separate rules that apply to personal data regarding criminal allegations, however, the list does not include financial data which although potentially highly sensitive and confidential in nature, does not raise the same fundamental issues.’

Some examples of sensitive or special category data include:

1. Details of your religion, race and ethnicity
2. Health-related data such as medications
3. Sexual orientation
4. Trade union membership

What are the key differences between the two?

It’s important to note that personal data isn’t always sensitive, and vice versa. However, if sensitive data can be connected to an individual, it will become personal data.

The key differences lie in:

1. The level of sensitivity

While personal data such as a name or address might not be considered sensitive on its own, there are specific types of personal data that could cause harm to an individual if the data was accessed by an unauthorised user. For example, healthcare records with details of illnesses, and medications, could be damaging for an individual, if released.

2. The level of risk attached

A data breach or leak containing sensitive information will be more severe for an organisation and the individuals affected, than one containing personal data. It could lead to financial losses, identity theft, and reputational damage which can be long lasting.

3. Compliance requirements

Personal data is often covered by regulations such as GDPR or CCPA, and will need to be handled according to their guidelines. However, sensitive data will often be held to stricter requirements such as HIPAA, due to the nature of the data.

Where are they typically held?

Both personal and sensitive data are held in various locations within a business. This could be in databases such as CRM systems, or HR tools, as well as on employee devices such as laptops or phones, if the data is downloaded or stored in an app.

While some organisations may opt for on-premises servers to store data, many with remote workers may choose cloud environments for data storage, including personal and sensitive data. If data is kept in physical formats, it should be stored effectively to prevent unauthorised users opening files, or accessing USB drives.

There are also third-party service providers that organisations may use to handle their data processing, and these can store data on behalf of a company. It’s vital that companies carry out due diligence on any third-party providers, and they should also ensure there are data backups in place for disaster recovery.

What is the role of GDPR for both types of data?

GDPR establishes different rules for personal and sensitive or special category data within the EU and EEA. Individuals are given greater protection under GDPR, as organisations are required to gain explicit consent before processing their personal or sensitive data, and maintain transparency on what their customers’ data is used for. They also need to ensure that the rights of their data subjects are honoured, giving them the right to access, amend, and erase personal data.

When it comes to sensitive or special category data, information such as religious beliefs, biometric data, political opinions, and genetic data must be protected with enhanced security measures. It must only be processed under special circumstances, including if someone’s life is at risk or if there are serious public health concerns.

Stuart Snape, Managing Partner at Graham Coffey & Co. Solicitors says, ‘Put simply, GDPR is there to acknowledge and protect the fundamental rights of individuals to the protection of their data as a means of protecting fundamental rights and freedoms. It is notable that the right to a private life is explicitly outlined in Article 9.

‘It is also important to consider that the protection of sensitive data is a vital step in preserving Article 14 under the Human Rights Act - Prohibition of Discrimination. It is no coincidence that the list of potential grounds for discrimination under the convention are mirrored in the types of sensitive data protected by GDPR.’

How can personal and sensitive data be protected?

It takes a holistic approach to data security to ensure that personal and sensitive data is adequately protected. Here are a few measures you can take:

1. Implement stringent access controls: Preventing unauthorised users accessing personal and sensitive data is essential for mitigating the risks of data being leaked and breached.
2. Put encryption in place: Encrypting data while in transit and at rest can stop data from being readable to unauthorised users. Even if intercepted, the data is undecipherable without the correct encryption key.
3. Focus on data minimisation: Data minimisation helps organisations reduce their attack surface by collecting the least amount of data, and monitoring it frequently to ensure data that is no longer needed is disposed of accordingly.
4. Train employees effectively: With 95% of data leaks being the result of human error, building a resilient Human Firewall of security-conscious employees is key in preventing data being leaked or breached.
5. Conduct regular audits: Understanding where your vulnerabilities lie is crucial, and regular audits and monitoring can help you detect any unusual activity within your networks.
6. Maintain data backups: Keeping regular backups of any personal or sensitive data is vital for restoring data, should it be lost or breached.
7. Carry out due diligence: Any third party vendors should be scrutinised to ensure they have appropriate security measures in place if they are handling any data on your behalf.

It is also important to have a comprehensive privacy policy in place to outline how personal data will be processed, so that customers are fully aware of their data protection rights.

How can Metomic help?

Metomic helps you detect and protect the data that matters to your organisation, aligning your business with the requirements of GDPR.

Book a free risk assessment with one of our data security experts to see how secure your ecosystem really is.