How to identify sensitive and personal data

Before beginning your data mapping exercise, you need to identify the personal data you hold. Personal data is any information that can directly or indirectly identify a natural person. The GDPR (General Data Protection Regulation) places much stronger controls on the processing of sensitive personal data.

How to recognise personal data

Personal data can be stored digitally or manually and can be used to directly or indirectly identify an individual.

Personal data includes:

  • Name;
  • Address;
  • Email address;
  • Photo;
  • IP address;
  • Location data;
  • Online behaviour (cookies); and
  • Profiling and analytics data.

How to recognise sensitive personal data

Sensitive personal data is a specific set of “special categories” that must be treated with extra security. These categories are:

  • Racial or ethnic origin;
  • Political opinions;
  • Genetic data;
  • Biometric data (where processed to uniquely identify someone);
  • Religious or philosophical beliefs; and
  • Trade union membership.

Sensitive personal data needs explicit consent from the data subject.

Why separate sensitive data from personal data?

It is very important to understand the difference between sensitive and personal data, because you can’t use and store data in the same way.

Why and how is it possible to keep this data?

If you change any information about the data subject, you must be aware of how you archived it. You must identify if your data is adequate, relevant and not excessive.

The subject can ask you to delete information you have about them.

Six principles should be applied:

  1. You must have obtained consent to process personal data, including explaining who you are, how the data will be processed and if the data will be disclosed to any third parties.
  2. You must only collect personal data for legitimate and specific reasons, and must inform the data subject of these reasons.
  3. You can collect data for necessary processing, but you can’t collect more personal data than you need.
  4. You must amend or erase data when it is inaccurate or when a subject asks you to.
  5. You must only keep the data for as long as is necessary. You need to create a retention policy that identifies when records will be destroyed.
  6. You must have processed the data in a manner that ensures its security.

To see how the Data Flow Mapping Tool can help your organisation, download for free our white paper >>

A version of this blog was originally published on 4 April 2018.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.