Sensitive personal data

Data security is a priority in the digital world as businesses, individuals, and organizations expand their online presence, exposing data to more vulnerabilities alongside the growing number of touchpoints.
While your company's cybersecurity efforts conventionally focus on safeguarding personally identifiable information (PII), there are other concerns that have emerged in recent times, particularly sensitive personal information (SPI). It is critical to understand the significance of SPI to keep your data systems and networks compliant with stringent standards like the General Data Protection Regulation (GDPR).

‍
What is personal data?

‍
Personal data refers to any information you can use by itself or with other data to identify an individual. When accessed, it is possible to identify a specific person, which could result in a breach of their privacy and personal security concerns. Examples of personal data or PII include:

• Asset information such as your IP address
• Biometric details like X-rays and retina scans
• Phone numbers
• Addresses (physical and online)
• Name

‍

What is sensitive data?

‍
Sensitive data (or SPI) refers to a branch of personal data that jurisdictions identify as requiring a higher standard of care and security measures due to their vulnerable nature, which makes them more easily exploited and manipulated by cybercriminals. Also, since SPI does not directly identify an individual, it could prove more challenging to categorize them as they could escape detection by a company's regular data loss prevention (DLP) strategies.
‍

Sensitive personal data examples

‍
Unauthorized use of sensitive personal data or SPI could result in the discrimination, harm, damage, or embarrassment of data subjects. As such, it is important to identify data that fall under this category and take extra precautions when processing such information under strict GDPR guidelines. The GDPR's Recital 51 classifies sensitive personal data as such because it "requires a higher degree of protection due to the nature of the information and because the processing of the information could create significant risks to the fundamental rights and freedoms of the data subject.
You can refer to the following checklist for a quick assessment of personal data examples.

‍
Is a person's date of birth sensitive personal data?

‍
No, an individual's date of birth is considered a type of non-sensitive personally identifiable information. However, it is important to note that malicious individuals can combine a person's date of birth with other information to orchestrate criminal acts like identity fraud.

Is a person's name and address sensitive data?

‍
No. A person's name and address are considered PII as they link to a person's identity. The information is often collected by online forms for various purposes, such as the filling in of online particulars.

Is a person's gender sensitive personal data?

‍
No, an individual's gender counts as non-sensitive personally identifiable information.

Is a person's religion sensitive personal data?

Yes, a person's religion or philosophical beliefs fall under sensitive personal data. While these pieces of information do not identify a person, cybercriminals may pair them with other information and exploit them to cause reputational damage, discrimination, and physical harm.

Is a person's ethnic background sensitive data?

‍
Yes, an individual's ethnic and racial background counts as sensitive personal data.
It is important to recognize the differences in storing and managing sensitive personal data compared to the procedures for PII, especially with regard to GDPR guidelines. The GDPR allows the processing of PII as long as companies comply with legal conditions and requirements and undergo the necessary security measures. In contrast, the GDPR strictly prohibits organizations from processing special categories of personal data unless it has a lawful basis or meets one of the conditions outlined in Article 9, such as receiving explicit consent from the data subject for data use in fulfilling specified purposes.
‍

What is the processing of personal data?
‍

The processing of sensitive personal data includes the storage, collection, retrieval, consulting, sharing, erasing, or destruction of the information. Companies fall into two categories regarding data management, each with a distinct set of responsibilities, risks, and purposes. It is important to identify your organization's specific role for the best practices.
‍

What is a data processor?

Essentially, data processors manage sensitive personal data based on the instructions from a data controller, often in a third-party capacity. It is crucial for data processors to specify their exact duties to the data controller for legal purposes. The agreement between processors and controllers should also include detailed explanations of how data gets managed at the end of a contract between processors and controllers. Doing so ensures a smooth succession of data management while avoiding legal disputes. Data processor responsibilities may include:
Determining the type of data collected and their specific purpose.
Planning and establishing the timeline of stored data.
Deciding data sharing methods and the parties involved.
Modifying or changing data.
Acquiring legal rights and following the proper guidelines for personal data collection and consent management.
‍

What is a data controller?
‍

Companies functioning as data processors determine the purpose and the means involved in processing sensitive personal data. Data controllers have more significant duties and responsibilities in safeguarding sensitive personal data than partnered data processors since they decide the how and why behind data usage. Essentially, a data controller oversees much of the data privacy impact assessment (DPIA). Data controller responsibilities may include:

• Storing and safeguarding the personal data collected from controllers.
• Applying the most suitable tools and strategies for data management.
• Suggesting and designing effective practices and systems that help controllers collect the necessary data from their data subjects.
• Transferring data from controllers to their respective destinations.
• Example of a data processor and controller relationship
• For instance, Company A hires Company B to manage its accounting processes by providing relevant data such as organizational budgets, employee wages, and funding documentation. In this scenario, company A is the data controller that entrusts Company B as the data processor because of their accounting acumen.
• Sensitive personal data under GDPR
• Personal data definition under the GDPR relates to any information which is related to an identified or identifiable natural person. The GDPR further categorizes SPI as special category data in Article 9 of their statute. According to the GDPR, special category data require additional protection. Examples of personal data under GDPR's special category include:
• Political opinions
• Religious or political beliefs
• Personal data revealing racial or ethnic origin.
• Health data
• Trade union membership
• Details on sexual orientation and lifestyle
• Genetic data

‍

‍

‍