Before beginning your data mapping exercise, you need to identify the personal data you hold. Personal data is any information that can directly or indirectly identify a natural person. The General Data Protection Regulation (GDPR) places much stronger controls on the processing of sensitive personal data.
How to recognise sensitive personal data
Sensitive personal data is a specific set of “special categories” that must be treated with extra security. These categories are:
- Racial or ethnic origin;
- Political opinions;
- Genetic data;
- Biometric data (where processed to uniquely identify someone);
- Religious or philosophical beliefs; and
- Trade union membership.
Sensitive personal data needs explicit consent from the data subject.
How to recognise personal data
Personal data can be stored digitally or manually and can be used to directly or indirectly identify an individual.
Personal data includes:
- Email address;
- IP address;
- Location data;
- Online behaviour (cookies); and
- Profiling and analytics data.
Why separate sensitive data from personal data?
It is very important to understand the difference between sensitive and personal data, because you can’t use and store data in the same way.
Why and how is it possible to keep this data?
If you change any information about the data subject, you must be aware of how you archived it. You must identify if your data is adequate, relevant and not excessive.
The subject can ask you to delete information you have about them.
Six principles should be applied:
- You must have obtained consent to process personal data, including explaining who you are, how the data will be processed and if the data will be disclosed to any third parties.
- You must only collect personal data for legitimate and specific reasons, and must inform the data subject of these reasons.
- You can collect data for necessary processing, but you can’t collect more personal data than you need.
- You must amend or erase data when it is inaccurate or when a subject asks you to.
- You must only keep the data for as long as is necessary. You need to create a retention policy that identifies when records will be destroyed.
- You must have processed the data in a manner that ensures its security.