8 Min

Examples of sensitive data

The UK General Data Protection Regulation (UK GDPR) contains rules for the way you collect and process sensitive data. But what is sensitive data and how does it differ from personal data? 

Read on to identify some examples of sensitive data and learn some key differences between sensitive and personal data. We’ll also look at the legal grounds for processing it and how to avoid data breaches. Let’s dive in... 

What is sensitive data?

Sensitive dataalso known as special category data or sensitive personal datais confidential information that you should only make available to people who have the right permissions to access it.

Data is not considered sensitive if it’s: 

  1. Already publicly known and available, or 
  2. Organisational information that you regularly share in or outside your organisation 

But what types of personal data are considered sensitive? Let’s find out.

What are some examples of sensitive data?

  • Racial or ethnic origin
  • Political beliefs or religious beliefs
  • Genetic or biometric data
  • Mental health or sexual health
  • Sexual orientation and sex life
  • Possession of lack of trade union membership
  • Financial information
  • Criminal convictions and offences

You’ll need to store sensitive data like this separately from other personal data. And, when you store it digitally, you’ll also need to encrypt it or remove any personally identifiable markers.  

This last point also applies to personal data, but there are also some important differences between the two types of information.

 

 

Is sensitive data and personal data the same thing?

In short, no. There are much tougher rules that apply to processing and storing sensitive data. 

Personal data is any information that someone could use to identify an individual or establish their physical presence at a location. Things like CCTV footage, fingerprints, physical addresses and phone numbers, for example. So, if you can use a piece of information to identify a data subject, you’re dealing with personal data.  

But sensitive data is whole different level. It’s the type of information that could cause harm to an individual if you disclosed it. As such, the regulations protect it on legal, ethical or other relevant grounds. 

What are some examples of non-sensitive data?

Even when exploring non-sensitive data, you’ll still need to exercise some caution. Because although some pieces of data aren’t individually sensitive, when combined they could help someone to identify a data subject. Things like:  

  • Gender 
  • Date of birth 
  • Postcode 
  • Birthplace  
  • Employment status 
  • Level of education 

This isn't an exhaustive list — non-sensitive personal data can apply to any type of personally identifiable information even if it doesn’t qualify as special category data. 

Once you’ve identified sensitive data, you’ll need to determine how sensitive it is. Only then can you work out the level of protection that it needs. 

How do you assess data sensitivity?

There are several ways to do this. A key first step when measuring the sensitivity of data is to consider its confidentiality, integrity and availability. In other words, how bad would it be for your data subject (and your business) if this data were released? 

Confidentiality 

Make sure data is protected from unauthorised access but easily accessible to permitted parties. Some confidentiality countermeasures include:  

  • Data encryption  
  • Two-factor authentication 
  • Passwords 
  • Biometric verification 


Integrity

Ensure data remains consistent and accurate throughout its lifecycle and that information isn’t changed or tampered with. Some integrity countermeasures are: 

  • User access controls 
  • Audit logs 
  • Backups 
  • File permissions 


Availability

Make data available when people need it. And make sure you protect it with relevant security controls and using countermeasures like these:

  • Regular software patch management 
  • Maintaining a business continuity management system (BCMS) for effective disaster recovery 
  • Conducting repairs to hardware as soon as needed 
  • Maintaining firewalls and other additional security measures 

Okay, great. You’ve assessed the sensitivity of the data your organisation collects! But have you considered the legalities involved when you process it?  

What are the conditions for processing sensitive data?

There are six lawful grounds for processing personal and sensitive data: consent, contractual obligations, legal obligations, vital interest, public interest and legitimate interest.  These grounds determine if you have a legal basis for processing sensitive data or not. 

Article 6 and 9 of the UK GDPR lay down these requirements, and here they are:

  • The data subject must have either:
    • Already made the data public, or 
    • Given their explicit consent for its collection/processing 
  • Processing must be in the data subject’s best interests if they're unable or incapable of giving explicit consent
  • Processing is required due to a significant public health concern
  • Processing is necessary for the data controller (your organisation) to adhere to employment-related, social security or other obligations
  • Processing is necessary to verify the legitimacy of activities carried out by not-for-profit organisations or foundations 

If you don’t stay up to date with the compliance requirements for processing sensitive data, your organisation could be liable for damages.  

What are the consequences of the unauthorised disclosure of sensitive data?

You need to clearly notify individuals about the data you're collecting, the reasons why, and what you intend to do with it. The UK GDPR states that you have to get the explicit consent of the data subject. You’ll also need to:  

  • Notify individuals in case of a data breach  
  • Appoint a data-protection officer (DPO) 
  • Maintain the anonymity of collected data for the privacy of the data subject  

If you don’t, you run the risk of lasting damage to your organisation’s reputation, and regulatory fines and legal action. 

Conclusion

Sensitive data requires a higher level of consideration and protection than personal data because its release could potentially harm the data subject.  

To avoid compromising the privacy of data subjects, it’s important to be familiar with the compliance requirements outlined by the UK GDPR. By doing so, you’ll be better able to uphold countermeasures that protect the confidentiality, integrity and availability of sensitive data.  

Perhaps an outsourced DPO may be the best option for reducing data breach risks and your liability. Connect with one of our experts and improve your approach to processing sensitive data! 

Book an appointment

 

 

About the author

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk