The GDPR: Do you know the difference between personal data and sensitive data?

Now that the EU GDPR (General Data Protection Regulation) has been in effect for a couple of months, you’ve hopefully become acquainted with its definition of personal data: “any information relating to an identified or identifiable natural person”.

But what exactly does this mean? And did you know that the GDPR includes a sub-category of sensitive personal data that comes with its own requirements?

If this information is new to you, you might be panicking, but this blog post explains everything you need to know in a simple and easy-to-understand way.

What is personal data?

In the most basic terms, personal data is any piece of information that someone can use to identify, with some degree of accuracy, a living person. For example, the email address” is considered personal data, because it indicates there can only be one John Smith who works at Company X.

But, naturally, it isn’t as simple as that. Each piece of information doesn’t have to be taken on its own. Organisations typically collect and store multiple pieces of information on data subjects, and the amassed information can be considered personal data if it can be pieced together to identify a likely data subject. Think of it like a massive game of Guess Who?

Under certain circumstances, any of the following can be considered personal data:

  • Name
  • ID number
  • Location data
  • IP address
  • Physical, physiological and genetic information
  • Economic information
  • Cultural or social preferences

You might think that someone’s name is always personal data, but as the ICO (Information Commissioner’s Office) explains, it’s not that simple:

“By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”

However, the ICO also notes that names aren’t necessarily required to identify someone:

“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”

What is sensitive personal data?

Sensitive personal data is a specific set of “special categories” that must be treated with extra security. This includes information pertaining to:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data; and
  • Biometric data (where processed to uniquely identify someone).

Sensitive personal data should be held separately from other personal data, preferably in a locked drawer or filing cabinet. As with personal data generally, it should only be kept on laptops or portable devices if the file has been encrypted and/or pseudonymised.

Getting consent

A common misconception about the GDPR is that all organisations need to seek consent to process personal data. In fact, consent is only one of six lawful grounds for processing personal data, and the strict rules regarding lawful consent requests mean it’s generally the least preferable option.

However, there will be times when consent is the most suitable basis, and organisations need to be aware that they need explicit consent to process sensitive personal data.

Nuances like this are common throughout the GDPR, and any organisation that hasn’t taken the time to study its compliance requirements thoroughly is liable to be tripped up. This could lead to lasting damage, such as enforcement action, regulatory fines, bad press and loss of customers.

GDPR training

You can avoid these kinds of mistakes by enrolling on one of our GDPR training courses. Depending on your level of expertise, you should consider:

If you book either of these courses before the end of July, you’ll save 15%. Alternatively, book our Certified EU GDPR Foundation and Practitioner Combination Course to save 25%.