This is taken from Dark Data: The Hidden Risk to GDPR Non-Compliance, a free industry guide authored by Tim Hyman. In it, he examines the requirements of GDPR and explains how dark data could be impacting your compliance efforts. Learn best-practice solutions for new compliance workflows designed to protect your organization.
Personal or Sensitive
It is important to determine whether data is ‘personal’ or ‘sensitive personal’ as defined by the regulations, as different levels of protection are required – some mandatory and accountable in the case of sensitive data. It is also a new requirement that processors understand what type of data they are handling on behalf of their clients.
The definition of personal data has been broadened to include anything that can be directly associated with an individual. Broadly, GDPR keeps existing definitions but adds digital footprints such as cookies and IP addresses.
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. - Article 4 of GDPR
Sensitive Personal Data
The following are the GDPR classifications for sensitive personal data:
Revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person; data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. - Article 9 of GDPR
The GDPR essentially prohibits the processing of sensitive personal data unless one of the criteria in Article 9 (2) is met. These include:
9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law.
9(2)(e) – Data manifestly made public by the data subject.
About the author
Tim is an independent consultant specializing in information security and GDPR technology compliance. This follows 20+ years as an IT Director of top 20 law firms including Reed Smith, Olswang and Taylor Wessing, with a broad-based management responsibility for strategy, systems design, implementation and support.