The EU mandated the General Data Protection Regulation (GDPR) in May 2018, with the goal of protecting all forms of personal data, which is defined as any information relating a person to an identifier. Since its inception, there's been some confusion about what classifies as general and sensitive personal data, which may be a top contributing factor as to why only 20% of businesses believe they are GDPR compliant. Let’s break down what this really means, and how organizations can handle such data under the GDPR sensitive personal data requirements, without violating compliance.
Defining Sensitive Personal Data under the GDPR (with examples)
The GDPR describes two types of data: personal data and sensitive personal data. Personal data is any information that is clearly identifiable and about a particular person. This can include names, identification numbers and location data, as well as other instances of structured and unstructured data.
Sensitive personal data is a mixture of private opinions and health information that falls into specialized, legally protected categories. Businesses must treat this data with the highest security. Here are some examples of sensitive personal data.
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Gender identity or sexual orientation
Processing Sensitive Personal Data under the GDPR
Once these different types of data are understood and classified, it’s time to address how to process sensitive information in a compliant manner under the GDPR. The processing of sensitive personal data is only legal if it satisfies at least one of the following conditions:
- Explicit consent of data subjects
- Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement
- Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent
- Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
- Data manifestly made public by the data subject
- Necessary for the establishment, exercise or defense of legal claims, or where courts are acting in their judicial capacity
- Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures
- Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
- Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
- Necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1) — this is a new condition under the GDPR and provides that sensitive data can be processed for the purposes of archiving, research and statistics
Removing the guesswork from GDPR Personal Data Compliance
GDPR compliance is often labeled as difficult to achieve, with 36% of businesses claiming GDPR requirements are too complex to implement, especially when it comes to processing sensitive personal data. Just understanding how to process sensitive personal data under the legislation is enough to make one’s head spin. But the good news is that it doesn’t have to be so difficult.
With Enterprise Recon by Ground Labs, GDPR compliance is easily achievable, as the award-winning solution can identify, monitor and remediate over 300 different types of data, including sensitive personal data. Organizations can also create an inventory of sensitive data, upholding the GDPR requirement for ongoing data surveillance by monitoring it around the clock via the Enterprise Recon dashboard.
Don’t leave sensitive personal data up to chance — book a demo with us today to get started on a clear path to GDPR compliance.
