December 13, 2023
What is Considered Sensitive Data Under the GDPR?
There are many different kinds of personal information that a company might store in the course of creating and maintaining user accounts: names, residential addresses, payment information, government ID numbers, and more. Obviously, companies have a vested interest in keeping this sensitive data safe, as data breaches can be both costly and embarrassing.
What counts as private or sensitive data—and what sorts of responsibility companies have to protect such data—changed with the passage of the General Data Protection Regulation (GDPR) by the European Union. (The GDPR is a component of the EU’s privacy law and human rights law relevant to Article 8 of the Charter of Fundamental Rights of the European Union.) The GDPR is proving to be both expansive in what it covers and strict in what it requires of entities holding user data, and the fines levied for non-compliance can sometimes be harsh.
The European Union’s own GDPR website has a good overview of what the regulation is, along with overviews of its many parts and guidelines for compliance. But one of the stickier points of this regulation is what is considered “sensitive data,” and how this might differ from personal data, which is at the core of the GDPR. Sensitive data forms a special protected category of data, and companies must take steps to find it using appropriate sensitive data discovery tools.
The GDPR Protects Personal Data
At the heart of the GDPR is the concept of personal data. Personal data includes any information which can be linked to an identified or identifiable person. Examples of such information includes things like:
- Identification numbers.
- Location data—this includes anything that can confirm your physical presence somewhere, such as security footage, fingerprints, etc.
- Any data which represents physical, physiological, genetic, mental, commercial, cultural, or social identity.
- Identifiers which are assigned to a person—telephone numbers, credit card numbers, account data, license plates, customer numbers, email addresses, and so on.
- Subjective information such as opinions, judgments, or estimates—for example, an assessment of creditworthiness or review of work performance by an employer.
It is important to note that some kinds of data might not successfully identify a person unless used with other data. For example, a common name like “James Smith” might apply to many people, and so would not pick out a single individual. But combining that name with an email address further narrows things down to a particular company and identifier; together, the name and email are personal information. Likewise, things like gender, ZIP Code, or date of birth would be non-sensitive, non-personal information unless combined with other information to identify someone. Hackers and bad actors will often use disparate pieces of data to identify individuals, so all potential personal information should be handled cautiously.
That said, some personal information is also considered sensitive information; the GDPR discourages collecting, storing, processing, or displaying this information except under special circumstances—and in those cases, extra security measures are needed.
Sensitive Information Under the GDPR
Sensitive data under the GDPR (sometimes referred to as “sensitive personal data”) includes:
- Any personal data revealing racial or ethnic origin, political opinions, or religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data used to identify a person;
- Health-related data; and
- Data concerning a person’s sex life or sexual orientation.
According to Article 9 paragraph 1 of the GDPR, these kinds of information cannot be processed except for special cases as outlined in paragraph 2. This includes gathering and storing such data in the first place.
Application of the GDPR: Does it Affect Your Organization?
In short, yes, the GDPR is relevant even for companies operating largely outside of the European Union. The goal of the GDPR is to protect data belonging to EU citizens and residents; it categorizes many of its provisions as a right that people have. Thus, anyone handling data about EU residents is subject to GDPR regulations, independent of their location.
For example, if you have a company in the U.S. with a website, and said website is accessed and used by citizens residing in the European Union, and part of that use is creating accounts which process and store user data, then your company must comply with the GDPR. (This is referred to as the “extra-territorial effect.”)
Even more alarming is the fact that sensitive data might exist within an organization without its being aware of the scope and extent of that data’s existence. Consider:
- The average company has more than a half million sensitive files (534,465—to be exact).
- 53% of companies have found over 1,000 sensitive files exposed to all employees.
- Only 4% of organizations report sufficient security for their data in cloud environments, meaning that 96% cannot guarantee this.
In short, no company should assume that it has a handle on sensitive data until it can verify the location of all sensitive personal data using a robust sensitive data discovery procedure.
Data Subject Requests, The Right to Be Forgotten, and Data Minimization
Processing sensitive information becomes an especially challenging conundrum when it comes to Data Subject Requests (DSRs). Such requests can include things like the Right to be Forgotten: The right that individuals have to request that information about them be deleted if they choose. According to the GDPR (and many other data protection regulations), organizations receiving requests from individuals have a limited and specific time period for honoring such requests.
Most organizations will honor these requests simply by deleting the relevant information. But this approach runs into two problems.
First, redundant copies of data often exist in complex environments—for example, the same personal information might appear in a testing environment, a production environment, and a marketing analytics database. Without robust sensitive data discovery, it’s possible that an individual isn’t really “forgotten” by the system after all.
Second, there is the issue of database integrity. Deleting data might remove important bits of information, such as transaction histories. This can make it incredibly difficult to keep audit trails or maintain accurate data analytics. Companies that acquire sensitive information, then, would do better finding ways to minimize this data, rather than delete it completely.
If you would like to learn more about data minimization, sensitive data discovery, or GDPR compliance in general, feel free to browse our articles or contact a compliance expert. In the meantime, our case study of a Swiss Bank also highlights how cross-border data-sharing can be accomplished while maintaining compliance with the GDPR.