TheGDPR (General Data Protection Regulation)distinguishes between ‘personal data’ and ‘sensitive personal data’.
In this blog, we look at how they differ, and what you need to know if you want to process sensitive data.
What is ‘personal data’ under the GDPR?
The Regulation defines ‘personal data’ as:
Any information relating to an identified or identifiable natural person (‘data subject’).
In other words, any information that’s clearly about aparticular person. Depending on the circ*mstances, this could include anything from someone’s name to their physical appearance.
We’ve explained more about personal data and the importance of context ina previous blog.
What constitutes ‘sensitive personal data’?
In its most basic definition, sensitive data is a specific set of “special categories”:
- Genetic data
- Political opinions
- Racial or ethnic origin
- Data concerning health
- Trade union membership
- Religious or philosophical beliefs
- Data concerning sex life or sexual orientation
- Biometric data (where processed to uniquely identify someone)
Article 9 of the GDPR prohibits special category data from being processed unless you can rely on an exemption.
When can you process sensitive data?
As with non-sensitive personal data, like names and addresses, you may only process sensitive data if you can rely on a lawful basis (under Article 6) for doing so:
- Consent
- Public task
- Vital interests
- Legal obligation
- Legitimate interests
- Contractual obligation
This blog explains these six lawful bases in more detail.
However, for sensitive data, the GDPR imposes extra rules: you must document a lawful basis under Article 9.
What are the lawful bases under Article 9?
Organisations may only process sensitive information if an exemption listed under Article 9 applies.
We’ve listed them below, grouping them by relevance to the Article 6 lawful bases where possible.
Consent
- The data subject has given their explicit consent for the processing.
Public task
- Processing is necessary for a “substantial” public interest.
- Processing is necessary to complete tasks in the public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare, or medicinal products or devices.
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Vital interests
- Processing is necessary to protect an individual’s vital interests.
Legal obligation
- Processing is necessary to carry out your obligations, or exercise the data subject’s rights, in employment, social security and/or social protection law.
- Processing is necessary to establish, exercise or defend legal claims.
- Processing is necessary for a court to act in its judicial capacity.
Other
- The data subject “manifestly” made the data public.
- The processing forms part of your legitimate activities, and you’re a non-profit body with a political, philosophical, religious or trade-union aim.
- Processing is necessary for the purposes of preventive or occupational medicine, or a medical diagnosis.
- Processing is necessary to assess an employee’s working capacity.
- Processing is necessary to provide health or social care systems and services.
Note that individual member states can introduce further conditions or limitations for processing sensitive data – the above list only reflects the requirements of the EU GDPR.
Finding this blog useful? Subscribe to our free weekly
newsletter – the Security Spotlight – to get future blogs
and other useful resources straight to your inbox.
Subscribe now
Should I use consent?
A common misconception about the GDPR is that all organisations need to seek consent to process personal data.As the list above shows,consent is only oneoption.
What’s more, thestrict rules regardingthe way you obtain and maintain consentmeanit’sgenerally the least preferable option.
The rules are there for good reason: if you can’t rely on any other grounds, like legal or contractual obligation, that suggests the processing isn’t strictly necessary. As the GDPR aims to give greater control to individuals over their data, this means they can opt out of processing at any time.
Furthermore, you can rarely change lawful basis after you’ve started processing the data. So, get it right first time to avoid enforcement action and business disruption.
This blog explains in more detail when to seek consent and its drawbacks.
How can I secure sensitive data?
You should store sensitive personal data separately from other personal data. If it’s held in paper format, preferably keep it in a locked drawer or filing cabinet.
Digitally, as with personal data generally, you should only keep sensitive data on laptops or portable devices if the file has been encrypted and/or pseudonymised.
Pseudonymisation means you process the data in a way that doesn’t identify specific people, but those individuals can be re-identified by combining that data with other information that’s stored separately and securely – likely involving encryption.
Encryption, a common form of cryptography, encodes your data by using a secret value or ‘key’, ensuring that only authorised users and applications (holding the decryption key) can access the information.
You can use pseudonymisation and encryption simultaneously or separately.
How can I prove I’m meeting the GDPR requirements?
TheEuroprivacy™/®certification schemeoffers a practical way to demonstrate your GDPR compliance. This data protection seal allows you to stamp your data processing activities as ‘GDPR compliant’.
The Europrivacy scheme also provides a detailed framework of appropriate security measures – both technical and organisational – you can use to protect PII (personally identifiable information).
This interview with senior privacy consultant and trainer Alice Turley explains the scheme in more detail.
Want to learn more about the key GDPR requirements?
Our free green paper General Data Protection Regulation (GDPR) – A compliance guide explains the core GDPR elements subject to the higher-tier fines: the greater of €20 million or 4% of global annual turnover.
This free guide covers:
- Who must comply with the GDPR;
- The benefits of achieving compliance;
- The Regulation’s core principles and rights;
- How to lawfully transfer personal data outside the EU; and
- Tips on how to write your privacy notice.
Download now
We first published a version of this blog in February 2018.