Feb 10, 2021 | Blog, GDPR

Personal Data and Sensitive Data

Howard Freeman

Howard Freeman

Do you know the difference?

GDPR Sensitive Data
The GDPR includes a sub-category of sensitive personal data that comes with its own requirements.

The GDPR (General Data Protection Regulation) has been in force for some time. So, no doubt you are familiar with the term ‘personal data’. But, what exactly does personal data mean? The GDPR includes a sub-category of sensitive personal data that comes with its own requirements.

What is personal data?

Simply put, personal data is any piece of information that someone can use to identify, with some degree of accuracy, a living person.

For example, the email address stevelongname@abusiness.co.uk is considered personal data. This indicates there can only be one Steve Longname employed at that particular business. However, it isn’t as simple as that. Therefore, each piece of information shouldn’t be taken on its own merit.

Organisations typically collect and store multiple pieces of information on data subjects. The amassed information can be considered personal data if it can be pieced together to identify a likely data subject.

All of the following is personal data:

  • A name and surname
  • A home address
  • An email address
  • An identification card number
  • Location data
  • An Internet Protocol (IP) address
  • The advertising identifier of your phone

You might think that someone’s name is always personal data. However, the Information Commissioners Office (www.ico.org.uk) states that it’s not that simple:

On its own, the name may not always be personal data because there are many individuals with that name. Great care should be taken, however, when the name is combined with other information. If you add further information such as a place of work, this will usually be sufficient to clearly identify one individual.


Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.


What is sensitive personal data?

Sensitive personal data is a set of special categories that requires extra security measures. This includes information relating to:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data; and
  • Biometric data (where processed to uniquely identify someone).

The storage of personal and sensitive data should not be at the same location. As with personal data, storage should be secure. Data can be stored on desktops, laptops or portable devices if this is the only option. In this situation however, the files must be encrypted and/or pseudonymised.

A common misconception about the GDPR is that all organisations need to seek consent to process personal data. We saw many examples where businesses sought consent to talk to their own customers!

However, consent is only one of the six lawful bases for processing personal data. The strict rules regarding lawful consent requests mean it’s generally the least preferable option. However, there will be times when consent is the most suitable basis. Organisations need to be aware that they need explicit consent to process sensitive personal data.

Therefore, if your business hasn’t taken the time to study your compliance requirements thoroughly, you could fall foul of the regulation. This could lead to lasting damage to your business. Enforcement action, fines, legal action bad press and loss of customers! These are all potential consequences of not understanding the law.

Help is at hand. If you don’t have a full understanding of the regulation, you can call us today on 03333 22 1011. Alternatively you can contact us here.


Can we help?