GDPR Personal Data VS Sensitive Data

Now that the GDPR (General Data Protection Regulation) is in effect, you’ve probably heard how the GDPR defines personal data and that it includes a sub-category of sensitive personal data, which comes with its own requirements. If you haven’t, this blog post will reveal everything you need to know in a simple and easy-to-understand way.

What is Personal Data?

Personal data is information that someone can use to recognize a living person accurately. But it isn’t as simple as that since each piece of information doesn’t have to be taken on its own. Companies typically gather and collect multiple pieces of information on data subjects, and the information can be considered as personal data if it can be put together to identify a subject.

Any of the following can be regarded as personal data:

  • Name
  • ID number
  • Location data
  • IP address
  • Physical, physiological, and genetic information
  • Economic information
  • Cultural or social preferences
  • Payment Card Industry (PCI) Information: The Payment Card Industry (PCI) Data Security Standards regulates data related to credit, debit, or other payment. Companies cannot store credit or debit card numbers in electronic formats without expressed, written consent.
  • Protected Health Information (PHI): The Health Insurance Portability and Accountability Act (HIPAA) governs this type of information. Protected health information is individually identifiable health information that is related to the past, present or future mental or physical conditions of a subject.

For example, a given name on its own may not always be personal data because there are many individuals with the same name. Nevertheless, when such name is combined with other information (address, company, phone or ID number), it is sufficient to identify one individual.

What is Sensitive Personal Data?

It is a specific set of “special categories” that must be treated with extra security. This includes information about:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data

A business cannot process any information falling within the list above without taking extra precautions. This is particularly relevant concerning employees, as many personnel files will contain some of that information about employees, particularly in those unionized industries.