The legislation surrounding GDPR may be fairly clear to you. However, the exact nature of what it covers – in terms of personal data – could be up for debate.
When we ask which identifying information has to be guarded and is subject to social protection law, there must be a firm definition. Otherwise you don’t know what you’re liable for.
More than 30% of businesses have made changes to their cyber security policy in light of GDPR. And various definitions of ‘sensitive’ data and types of social security guide those measures.
So, what is sensitive data? Here, we examine it.
What is considered sensitive data under GDPR?
This kind of information relates to anything personal about website users, customers, employees or clients – something that could reveal who they are or their interests and affiliations.
Sensitive data could be anything from age, birthday and dietary requirements to biometric data and sexual preferences. This identifying information is at risk because it can be used or manipulated to breach privacy or forecast their intentions. In the first six months of 2019 alone, 4.1 billion records were exposed by breaches – with the business sector accounting for 67% of that number.
Your business must draw up GDPR-compliant contracts and make them readily available for the management of sensitive data.
What is considered non-sensitive data under GDPR?
The other data classification includes all information that does not have substantial public interest. There are no uniquely identifying characteristics; it is more a catalogue of browsing behaviour, such as cookies, mobile ad ID, hashed email addresses and other technical identifiers.
What are examples of sensitive information?
Generally, we can split personal data subjects into special categories, all of which fall under GDPR demands. You have to protect information about a person’s:
- Sexual orientation
- Racial or ethnic origin
- Political outlook
- Biometric data, such as a fingerprint
- Religious or philosophical beliefs
- Trade union membership
Some industries – for example, health or social care – are more at risk of a breach than others, because they are processing personal data at a much higher rate.
What is the most secure way to store sensitive data?
General data protection regulations are clear that you must document all the data you hold, and destroy it when you’re no longer contractually or legally obliged to.
Cloud and on-site server systems have their advantages and drawbacks. Often, the best thing in the interest of protecting the data is a hybrid approach – both remote cloud and your own databanks.
If you do store it yourself, perhaps only limit it to the most critical data you may need to access quickly. The rest should be on a cloud backup. Ask for the hosting provider to explain how they fit within GDPR’s protection laws too.
How can DPP GDPR Help with Compliance?
A business with sensitive information in any working capacity has to know what they are handling and how assurances can be provided. For help with the definitions of sensitive and non-sensitive data – as well as what to look for in storage securities, or the impact of HR – speak to one of our solicitors today.