personal data

Personal data is today widely recognized as a valuable asset. Due to the value that it holds in the business world, personal data is a primary target for most cybercriminals and hackers. With most people sharing their personal data online for various reasons ranging from shopping to making online payments, banking transactions, etc..

 The digital industry is a treasure trove of sensitive information. Thankfully for consumers, numerous regulatory bodies around the globe have recognized the sensitivity of such data. For protecting the integrity and confidentiality of such personal data, the regulators have enforced various data privacy laws like GDPR, HIPAA, NESA, CCPA to name a few. So, companies that collect, store, or handle personal data are legally obliged to implement necessary measures to protect personal data.

 But, for organizations to oblige these privacy laws, especially the GDPR privacy law, need to understand and differentiate data privacy terminology. Legal jargon can be confusing for businesses, especially when many of the definitions are similar and used interchangeably in day-to-day life.

So, is the case in the GDPR where organizations are expected to protect personal data are also required to emphasize more on the security of sensitive personal data. Under GDPR there are certain types of data that are considered to be sensitive personal data and classified as a special category of personal data. 

So knowing the difference between personal data and sensitive data is crucial. In this blog, we have explained the key terms and the differences for organizations to implementing security measures accordingly. But let us first understand both the terms personal data and sensitive data in GDPR

What is Personal Data?

Personal data can be defined as any piece of information that can be used to identify a person. This can include name, number, address, age email id, etc. Personal data can even be a piece of information that classifies your presence.

This could possibly include CCTV Footage, fingerprints or biometric prints, eye scans, etc. Even data or information when combined with another relevant piece of information can lead to identifying of person that may be classified as personal data.

However, it important to note that not all data can be personal data. For instance, a name itself not be personal data until when this piece of information is combined with data like surname, phone number, location, email id, etc. that leads to the exact identification of the person. For example, with just the name John, the individual cannot be identified as there may be many individuals with the name John. But combing that piece of information with their surname, email id or phone number makes it personal data as the individual can be identified.

While all of this may seem complicated but it is not really that difficult when you understand it. Organizations typically collect and store multiple pieces of information on data subjects, and the information can be considered personal data if they are pieced together to identify the data subject. Some of the most common examples of personal data include name and surname, home address, email address, identification card number, location data, Internet Protocol (IP) address, etc. 

What is Sensitive Personal Data?

Sensitive Personal Data can be defined as a special category of personal data that requires extra security and special processing requirements. According to the GDPR Regulation sensitive personal data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data relating to a person’s inherited or acquired genetic characteristics, biometric data such as fingerprint, sexual orientation, or data concerning a person’s physical or mental health.

The General Data Protection Regulation sets out special guidelines for the collection and processing of sensitive personal data of all European Union (EU) citizens. Further, different sets of rules are established for controller and processor processing special categories of data. Processing these types of data can involve unacceptable levels of risks for fundamental human rights and freedoms. For these reasons, additional security measures are required to be implemented for protecting sensitive personal data.

Why Personal Data & Sensitive Personal Data are separately defined under GDPR?

Any organization that collects, stores, uses or discloses personal data and sensitive personal data are required to adhere to the outlined security requirements under GDPR. However, it is important to note that the obligations are much more stringent when it comes to sensitive personal data. The nature of sensitive personal data is critical.

This is because the level of risk exposure and implication of breach of such sensitive data is higher than the personal data itself. If such data gets misused or inappropriately handled, the person might suffer discrimination or mistreatment. For these reasons, sensitive personal data attracts greater security requirements under the GDPR privacy laws than personal data. So, businesses that handle sensitive personal data should know their obligation and accordingly implement the additional security requirements. 

Difference between Personal Data and Sensitive Personal Data

As per the GDPR Privacy law, both Personal Data and Sensitive Personal Data should be protected against any security threats or breaches. However, given the nature of sensitive personal data, processing it requires explicit consent and additional security measures as stated in GDPR requirements.

The processing of sensitive personal data requires controllers or processors to abide by a different set of rules for the special categories of data. Further, Member States can also introduce conditions, or enforce limitations concerning the processing of sensitive personal data like genetic data, biometric data, or any data concerning the health of an individual.

Given below are some major differences between personal and sensitive personal data and how they are processed and stored. The below table gives a detailed summary of the critical differences between personal and sensitive personal data.

 Personal DataSensitive Personal Data
Definition Personal data can be referred to as any information related to an identified or identifiable living human being.

Sensitive Personal Data can be referred to as any distinct personal data that is more sensitive in nature compared to personal data.


Example
1. Identifier’s Name

2. Identification Number

3. Location data

4. Contact information such as a home address, email address

5. IP address

6. Advertising ID
1. Racial or ethnic origin

2. Political opinions

3. Religious or philosophical beliefs

4. Trade union membership

5. Genetic data

6. Biometric data used for

7. Identification purposes

8. Data regarding health, sex life, and sexual orientation

Processing of Data
As per GDPR, Personal Data can be processed under certain conditions like

1. Consent from the data subject,

2. Necessary for legitimate interest,

3. Necessary in the public interest,

4. Exercise of official authority vested in the controller,

5. Necessary for compliance with a legal obligation,

6.Necessary for the performance of a contract with the data subject,

7. Necessary to protect the interests of a data subject,

8. Relevant security measures are implemented and complied with the GDPR requirements.
GDPR has prohibited the processing of all kinds of Sensitive Personal Data unless the data subject has already made their sensitive data public along or under other conditions like

1.Data subject has given explicit consent,

2. Necessary for carrying out the obligations under employment, social security or social protection law, or a collective agreement

3. Necessary to protect the vital interests of the data subject who is physically or legally incapable of giving consent.

4. Necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity.

5. Necessary for reasons of substantial public interest based on Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures.

6. Necessary for preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services based on Union or Member State law or according to contract with a health professional and subject to the conditions and safeguards.

7. Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices.

8. Necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89

9. For legitimate activities with appropriate safeguards by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim and on condition that the processing relates solely to the members or former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.



What are the security measures required as per GDPR?

The GDPR requires that personal data must be processed securely using appropriate technical and organizational measures.

Although the regulation does not mandate a specific set of security measures but rather expects you to take 'appropriate action. The security measures required may vary based on the type of data processed and the type of risk exposure.


Sensitive Personal Data requires additional protection measures for its sensitive and personal nature. All digital files must be encrypted and stored in a folder with minimum access controls.

 

                     

Conclusion

An Organizations need to understand and classify the type of data their business collects. Once you have an understanding of the subtle differences between personal data and sensitive data you are dealing with, you can review your obligations under GDPR Regulation. Based on the type of data processed you can accordingly protect the personal data or/and sensitive personal data.

The knowledge will enable you to secure data and even take appropriate steps in conserving all the sensitive information to prevent incidents of a breach. You can always consult experienced professionals like us at VISTA InfoSec. We have 16+ years of experience in the industry and have helped many businesses in achieving GDPR Compliance. So, with us by your side, you can be assured of a smooth compliance journey.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.