Blog Post
The GDPR: What is Considered Sensitive Personal Data?
The EU mandated the General Data Protection Regulation (GDPR) in May 2018, with the goal of protecting all forms of personal data, which is defined as any information relating a person to an identifier. Since its inception, there’s been some confusion about what classifies as general and sensitive personal data, which may be a top contributing factor as to why only 20% of businesses believe they are GDPR compliant. Let’s break down what this really means, and how organizations can handle such data under the GDPR, without violating compliance.
Defining Sensitive Personal Data
Under the GDPR, personal data means any information that is clearly identifiable and about a particular person. This can include names, identification numbers, location data, as well as other instances of structured and unstructured data. “Sensitive” personal data generally falls into the following categories, and as a business, this data must be treated with the highest security:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
Processing Sensitive Data Under the GDPR
Once these different types of data are understood and classified, it’s time to address how to process sensitive information in a compliant manner under the GDPR. The processing of sensitive data is only legal if it satisfies at least one of the following conditions:
- Explicit consent of data subjects
- Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement
- Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent
- Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
- Data manifestly made public by the data subject
- Necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
- Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures
- Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
- Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
- Necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1) – this is a new condition under the GDPR and provides that sensitive data can be processed for the purposes of archiving, research and statistics
Removing the Guesswork out of GDPR Compliance
GDPR compliance is often labeled as difficult to achieve, with 36% of businesses claiming GDPR requirements are too complex to implement. Just understanding how to process sensitive personal data under the legislation is enough to make one’s head spin. But the good news is that it doesn’t have to be so difficult.
With Enterprise Recon by Ground Labs, GDPR compliance is easily achievable, as the award-winning solution can identify, monitor and remediate over 300 different types of data, including personal sensitive information. Organizations can also create an inventory of sensitive data, upholding the GDPR requirement for ongoing data surveillance by monitoring it around the clock via the Enterprise Recon dashboard.
Don’t leave sensitive personal information up to chance — book a demo with us today to get started on a clear path to GDPR compliance.