<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Login
    Get started

    6 steps to stay compliant with sensitive personal data

    Published on 21 Dec 2017 by Lynne Callister

    sensitive personal data

    Even before the introduction of GDPR, the financial penalties for misuse of personal information were significant and enforced. Follow our 6 steps to reduce the risks for your organisation.

    Data regulators in France, Spain and the Netherlands flexed their muscles during the run up to  GDPR implementation.

    Facebook received a fine from the Spanish data privacy regulator for its, generic and unclear privacy policy which it claims did not "adequately collect the consent of either its users or nonusers, which constitutes a serious infringement". The company collected special category data (sensitive personal data) on gender, religious beliefs, etc without obtaining express consent and tracked users on third-party sites. AdobeStock_71509750_8x4.jpg

    In France, Facebook was fined €150k by CNIL, the data protection regulator, for collecting user data without their consent or without a legal basis.

    Whilst the Dutch data regulator also found evidence that Facebook had used sensitive personal data on sexual preferences to target adverts but chose not to impose any financial penalty.

    Tips to stay compliant when using special category data (sensitive personal data):

    1. Make sure you're clear about what is classed as sensitive personal data (special category data) - Broadly, as previously under the Data Protection Act, it includes any data relating to race or ethnic origin, religious or political beliefs (including trade union membership), data on health, sex life or sexual orientation. However, under GDPR, it also includes genetic and biometric data (see Article 9).
    2. Gather information - Find out what special category personal data is currently collected and special categories of personal dataprocessed by your firm. Is it legitimate and lawful?
    3. Be clear about the legal basis for processing - For example, whether you have explicit consent, whether it is required for the performance of specific contracts, or for other specific purposes (such as the public interest or the vital interests of an individual).
    4. Conduct a Data Protection or Privacy Impact Assessment - We all have a duty to do so where there is a high risk to the rights or freedoms of data subjects. Remember, individual consent may not be enough and you may also need processing to be sanctioned by the data protection authority where risks are high.
    5. Take extra care with health data - The definition is broad under GDPR and includes past, present or future physical or mental health, information from testing or examination of a body part or bodily substance, genetic and biological samples, information on diseases or risk, disability, medical history, clinical treatment, and so on. Be aware that different Member States may also have separate regimes.
    6. Check the rules on criminal convictions and offences - These are dealt with separately under GDPR (see Article 10) and this type of data is now subject to greater restrictions.

    Want to know more about GDPR?

    As well as 30+ free compliance training aids, we regularly publish informative GDPR blogs. And, if you're looking for a training solution, why not visit our GDPR course library.

    If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!

    Leave a comment

    Tick

    Free Trial: Compliance Essentials

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Request now

    10 Worst Cyber Crimes Analysed

    Cyber crime creates a huge financial drain on the UK economy every single year. Nearly half of UK businesses reported a cyber attack, according to specialist insurer Hiscox. According to recent ...

    Read More
    Six of the Best Books on Governance, Risk Management & Compliance

    We didn't become compliance learning experts overnight. We stand on the shoulders of some great minds in the Governance, Risk Management and Compliance (GRC) community. Our Pick of the Best Books on ...

    Read More
    5MLD is Coming: Threat or Opportunity?

    Many cryptocurrency firms will feel that more money-laundering regulations are a hindrance to their agile business models, but perhaps they should try and see the opportunities too? The appeal of ...

    Read More
    Skillcast Giving Back

    Skillcast promotes ethical behaviour not only to our customers but to society in general. We do this through education, charitable donations and managing our impact on the environment. We help ...

    Read More