This is your go-to reference for defining sensitive data, examples, and GDPR personal data, including identifying, classifying, and protecting sensitive data.
While carrying out GDPR pen tests, we have often found sensitive data around local file shares and network drives without many access control measures. It includes credentials to third-party vendor sites, personal email account information, passports, credit cards and many more items containing sensitive data.
With a fast-moving world, it is now easy to access information relating to an individual from the north pole to the south pole.
What is Sensitive personal data?
As defined by the UK GDPR, sensitive personal data is a particular category of personal information that requires additional protection due to its delicate nature. Processing sensitive personal data is generally prohibited unless specific exceptions apply, and organisations must implement strict safeguards when they process sensitive personal data.
When processing special category data, it is essential to identify a lawful basis under Article 6 and Article 9 of the GDPR and include additional safeguards to ensure compliance.
General Data Protection Regulation (GDPR) lays out two broad categories of data.
The first customers’ data, including their name, postal address, contact, or IP address. Organisations storing and using this information should comply with the GDPR.
The second category includes sensitive data, which provides a particular group of personal data on an individual’s information, such as religion, political opinions, sexual orientation, biometrics, and genetic data. Data protection in the UK refers to 8 principles defined by the Data Protection Act.
Understanding sensitive personal data for your business and data subject rights
- Legal compliance: The UK GDPR sets strict rules for processing sensitive personal data, including the conditions and lawful grounds for processing personal data under the GDPR. Non-compliance can result in hefty fines, legal action, and reputational damage. Organisations must understand their obligations to ensure they process sensitive data lawfully.
- Data subject rights: Individuals have enhanced rights regarding their sensitive data, including the right to explicit consent, the right to be informed, and the right to object to processing. Organisations must be aware of these rights and have processes to facilitate them.
- Data security: Sensitive data requires higher security to prevent unauthorised access, disclosure, or misuse. Organisations must implement appropriate technical and organisational measures to safeguard sensitive data, such as encryption, access controls, and regular security audits.
- Privacy by design: Organisations should incorporate data protection principles, including those related to sensitive data, into their processes and systems from the outset. This approach helps ensure that sensitive data is collected, stored, and processed compliant and secure.
- Transparency and trust: Handling sensitive personal data transparently and responsibly helps build trust with data subjects, regulators, and other stakeholders. Organisations demonstrating a solid commitment to data protection are likelier to maintain customer loyalty and a positive brand reputation.
Suggested Read: Data Subject Access Request
Examples of sensitive personal data
Under Article 9 of the UK GDPR, sensitive personal data is defined as personal data revealing or concerning:
These examples fall under special category data, which requires extra security measures and specific lawful grounds for processing under the GDPR.
- Racial or ethnic origin Information that reveals an individual’s race or ethnicity, such as skin colour, cultural background, or nationality.
- Political opinions Data that reveals an individual’s political views, affiliations, or opinions, such as party membership or voting history.
- Religious or philosophical beliefs Information that reveals an individual’s religious or philosophical beliefs, such as their faith, spiritual practices, or moral convictions.
- Trade union membership Data that reveals an individual’s membership or affiliation with a trade union organisation.
- Genetic data Personal data relating to an individual’s inherited or acquired genetic characteristics is obtained by analysing a biological sample or other means.
- Biometric data for identification purposes Personal data from specific technical processing relating to an individual’s physical, physiological, or behavioural characteristics, such as fingerprints, facial recognition data, or iris scans, is used for identification purposes.
Health data Personal data related to an individual’s physical or mental health, including the provision of health care services, reveal information about their health status, medical history, or treatments.
Data concerning a person’s sex life or sexual orientation Information that reveals individuals’s sexual preferences, practices, or orientation.
These categories of personal data are considered sensitive because they could be used to discriminate against individuals or reveal intimate aspects of their private lives. As such, the processing of sensitive personal data is subject to stricter conditions and safeguards under the UK GDPR.
Personal Data vs Sensitive Data: What’s the Difference?
Personal data is any information relating to an identified or identifiable natural person (data subject), either directly or indirectly, such as a name, identification number, location data, or online identifier. At the same time, sensitive data is a particular category of personal data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, or data concerning a person’s sex life or sexual orientation.
Key differences between sensitive and personal data:
- Sensitivity: Sensitive data is considered more delicate and private than general personal data, as it could be used to discriminate against individuals or reveal intimate aspects of their lives.
- Processing conditions: The conditions for processing sensitive data are stricter and more limited than personal data, with a higher threshold for obtaining consent and implementing safeguards.
- Risk and impact: The misuse, unauthorised disclosure, or breach of sensitive data can have more severe consequences for data subjects, such as discrimination, reputational damage, or psychological harm.
Processing Of Sensitive Personal Data: Prohibition & Exceptions
Under the UK GDPR, the rules and lawful bases for processing sensitive personal data are generally strict, and processing sensitive personal data is usually prohibited. However, several exceptions to this prohibition are outlined in Article 9(2). Organisations must meet at least one of these conditions to process sensitive data lawfully.
Prohibition on processing sensitive data:
The general rule is that processing sensitive personal data is prohibited unless a specific exception applies.
This prohibition is in place to protect individuals from potential discrimination, harm, or unwanted intrusion into their private lives.
Exceptions to the prohibition (Article 9(2)):
Explicit consent: The data subject has given explicit consent to the processing for one or more specified purposes.
Employment, social security, and social protection obligations: Processing is necessary for carrying out duties and exercising rights in employment, social security, and social protection law.
Vital interests: Processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent.
Legitimate activities of non-profit organisations: Processing is carried out through legitimate activities with appropriate safeguards by a foundation, association, or other non-profit body with a political, philosophical, religious, or trade union aim.
Data made public by the data subject: Processing relates to personal data that the data subject has manifestly made public.
Legal claims: Processing is necessary for establishing, exercising, or defence of legal claims or whenever courts act in their judicial capacity.
Substantial public interest: Based on UK law, processing is necessary for significant public interest and is proportionate to the aim pursued.
Healthcare and public health: Processing is necessary for preventive or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care, or the management of health or social care systems and services.
Public interest in public health: Processing is necessary for public interest in public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices.
Archiving, research, and statistics: Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
When relying on one of these exceptions, organisations must ensure that the processing is proportionate, necessary, and subject to appropriate safeguards. They should also document their justification for processing sensitive data and be prepared to demonstrate compliance with the UK GDPR if required.
How do you handle or protect sensitive personal data as a business?
As a business handling sensitive personal data under the UK GDPR, adopting best practices to ensure compliance, protect datsubjects’ rights, and mitigate risks is crucial. Here are some essential best practices:
Data minimisation
Collect and process only necessary data; regularly review and delete unnecessary data.
Pseudonymisation and encryption
Replace personally identifiable information with pseudonyms; encrypt data at rest and in transit.
Access control and monitoring
Limit access to sensitive data; implement strong authentication; monitor and log access.
Regular staff training and awareness
Train employees on data protection principles, policies, and procedures; raise awareness about risks and consequences.
Vendor management and due diligence
Conduct thorough due diligence on third-party vendors; ensure appropriate security measures through contracts and audits.
Data Protection Impact Assessments (DPIAs)
Conduct DPIAs for high-risk processing; identify and mitigate risks; demonstrate compliance.
Incident response and breach notification
Develop and test incident response plans; notify authorities and data subjects in case of a breach; document incidents and resolution steps.
Popular FAQs on personal data
Is a work email address personal data?
Yes, you can relate a workplace’s name and email address to a person; therefore, it is personal data.
Is the home address personal data under GDPR?
Yes. Your home address can be used to identify you as a person. Therefore, it is personal data.
Is the date of birth personal data under GDPR?
Yes. It is non-sensitive personal data because it can be used to relate to an individual.
Is information about the deceased individual personal data?
No. The UK GDPR applies to personal data related to living individuals.
Is biometric data sensitive data?
Yes, biometric data used for identification purposes is considered sensitive personal data under the UK GDPR.
Is the date of birth sensitive personal data under GDPR?
No, date of birth is not considered sensitive personal data under the UK GDPR, but personal data must be protected.
Is next of kin sensitive data?
Next-of-kin information is not inherently sensitive; it is personal data that the UK GDPR must handle.
What are non-sensitive personal data?
Non-sensitive personal data is any personal data that does not fall under the special categories of sensitive data, such as name, address, email, or phone number.
Are bank details sensitive to personal data?
Yes, bank details are considered sensitive personal data under the UK GDPR as they can be used to identify an individual and are linked to their financial information, requiring a higher level of protection due to the potential for fraud and economic harm.
Are dietary requirements sensitive to personal data?
Yes, dietary requirements can be sensitive personal data if they reveal information about an individual’s health or religious beliefs.
What is the best way to store sensitive data?
The best way to store sensitive data is by using pseudonymisation, encryption, secure access controls, and regular backups.
Is it age-sensitive personal data?
No, age is not considered sensitive personal data under the UK GDPR, but personal data must be protected.
How Cyphere can help you protect your most sensitive data?
The most critical element to protect your business is to ensure people, processes, and technological controls work together. You must measure your current state, measure changes, and assess and analyse your blind spots regularly.
Monitoring credential leakages, information on your employees, processes, or technology assets can be found online through various channels. This information is helpful for attackers in preparing an attack layout that helps shape the attack infrastructure setup needed to bypass controls. Through exercises such as Red Teaming, Penetration Testing, Phishing, and OSINT (Open-Source Information Gathering Intelligence), organisations can assess their exposures differently based on where high-risk vulnerabilities are located.
Gain a comprehensive view of how your information security and data privacy practices apply on the ground, much more than documents or policy files, with our GDPR-specific exercises such as GDPR Penetration Testing and Data Privacy Services.
🤙Get in touch to discuss your primary security concerns with our security experts
