Sensitive personal data

What is sensitive personal data?

Any data that relates to an identified or identifiable living individual is known as personal data. Certain categories under personal data require extra protection, have special processing requirements, and are termed as sensitive personal data.

Types of sensitive data

According to the GDPR, sensitive personal data can be:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data relating to a person's inherited or acquired genetic characteristics
  • Biometric data such as fingerprints
  • Sexual orientation or sex life
  • Data concerning a person's physical or mental health

GDPR sensitive personal data definition

The General Data Protection Regulation (GDPR) is a set of guidelines mandated by the European Commission for the collection and processing of personal data of all European Union (EU) citizens. The GDPR aims to protect the privacy of all European citizens and regulate how the data should be handled by organizations. All personal data including racial, political, religious, trade union membership, genetic, biometric, sexual orientation, and health details of individuals from the EU falls under the GDPR's sensitive data list.

How is sensitive personal data different from personal data?

The major difference between personal and sensitive personal data is how it's processed and stored. The below table summarizes the critical differences between personal and sensitive personal data.

  Personal data Sensitive personal data
What is it? Information related to an identified or identifiable living human being. Distinct personal information that is more sensitive than personal data.
How is it processed? As per the GDPR, all details under personal data can be processed if certain conditions like consent from data subject, relevant security measures, etc. are complied with. The GDPR has prohibited the processing of all kinds of sensitive personal data unless the data subject has already made their sensitive data public along with a few other conditions.
Examples John@abccompany.com gives information such as name, company, location, IP address. An individual's racial origin, political opinion, and genetic or biometric information.

How should sensitive personal data be stored?

The Data Protection Act (DPA) 2018 issued special guidelines to regulate sensitive personal data storage. Hard copies must be stored separately in a locked drawer or a filing cabinet. All digital files must be encrypted and stored in a folder with minimum access controls. These additional conditions, safeguards, and exemptions for sensitive personal data are mentioned in Schedule 1, Part 1 of the UK DPA 2018.

Securing sensitive personal data with DataSecurity Plus

DataSecurity Plus offers a comprehensive solution that can help identify and safeguard sensitive personal data.

Discover sensitive data:

Scan and locate all files containing sensitive personal data (PII/ePHI/PCI) in Windows file servers and failover clusters using our PII scanner.

Examine security permissions:

Identify files with open access and inconsistent permissions, and analyze NTFS and share permissions using our file analysis tool.

Protect sensitive files from data leaks:

Classify files manually based on the sensitivity of their content, and stop them from leaving the organization via USB drives, email, etc. using our data leak prevention solution.

DataSecurity Plus offers a suite of tools with which you can protect sensitive data in your organization.

Download a free, 30-day trial
Email Download Link