Sensitive Data vs Personal Data: Key Differences in GDPR
How do special category data differ from regular personal data? What additional requirements does GDPR impose on sensitive data processing.
GDPR distinguishes between "regular" personal data and special category data (commonly called "sensitive"). This difference has fundamental significance for processing bases, security measures, and sanctions. Understanding it is crucial for proper data protection.
What is personal data according to GDPR?
Personal data (Art. 4(1)) is any information relating to an identified or identifiable natural person. It includes: name, identification number, location data, online identifier, physical, physiological, genetic, mental, economic, cultural or social identity factors. This is a very broad definition.
What are special category data (sensitive)?
Special category data (Art. 9) includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, sex life or sexual orientation data. This data requires special protection.
What are the differences in processing bases?
For regular personal data, one of 6 bases from Art. 6 suffices (e.g., contract, legitimate interest). For special category data, Art. 9 introduces a general prohibition with 10 exceptions (e.g., explicit consent, vital interests protection, health purposes). Sensitive data processing requires much stronger bases.
How to protect special category data?
Sensitive data requires enhanced measures: encryption at rest and in transit, role-based access control, minimization of collection and storage, regular access audits, DPIA before large-scale processing. Security breaches involving sensitive data result in higher fines.
**Revelio** and **Detecto** automatically distinguish special category data from regular personal data. Reports classify found data, indicating areas requiring enhanced protection. **Nocturno** offers specialized anonymization techniques for sensitive data.
The distinction between personal data and special categories has practical consequences for every aspect of processing. Proper classification is the foundation of compliance.