You won’t get far with your GDPR (General Data Protection Regulation) compliance activities if you don’t know what’s considered personal data.
But it’s not as simple as identifying whether the information you’re processing is in the Regulation’s scope, because the GDPR defines a second set of ‘special’ categories of personal data, which covers sensitive information.
Let’s take a look at what makes sensitive personal data special.
Personal data vs sensitive data
Any discussion of sensitive personal data needs to begin with an overview of the more general category of personal data.
The GDPR defines personal data as any information about an identifiable living person. This can be information specifically designed to identify them, such as a name or ID number, or it can be data that belongs to them, like a phone number or IP address.
Sensitive data encompasses a range of special categories of personal data relating to information that could have particularly harmful effects if misused – for example, by putting someone at risk of unlawful discrimination.
Personal data is considered sensitive if it relates to an individual’s:
- Racial or ethnic origin;
- Political opinions;
- Genetic or biometric data (where used for ID purposes);
- Sex life or sexual orientation;
- Trade union membership;
- Health; or
- Religious or philosophical beliefs.
How to obtain and store sensitive personal data
Because of the increased risks associated with sensitive personal data, there are additional requirements regarding how you obtain and store it.
For a start, when collecting sensitive personal data, you must document a lawful basis for processing under Article 6 of the GDPR – as you do will all personal data processing – as well as a basis under Article 9.
You don’t necessarily need to use the same lawful basis to comply with both articles, but in many cases there will be an obvious link between the two.
Once you’ve obtained the data, you should be careful to store it separately from, and more securely than, other personal data. Physical files should be kept under lock and key, and digital files should be encrypted and kept in a folder that’s subject to access controls.
As with personal data generally, sensitive personal data should only be kept on laptops or other portable devices if the file has been encrypted and/or pseudonymised.
Manage your GDPR compliance with Vigilant Software
Are you still unsure about what to do regarding sensitive personal data and other aspects of the GDPR?
If so, GDPR Manager is the perfect solution. It offers a single, Cloud-based portal for managing four of the most important GDPR requirements.
The tool will help you achieve and demonstrate compliance cost-effectively, quickly and easily. Your work is saved in a central location, making maintaining and updating documentation simple.
After all, the more of your GDPR compliance activities you can do on a single platform, the better – in terms of consistency of approach, time spent on user management, cost-effectiveness, and so on.