Special Category Data GDPR Best Practices

Posted by

Lynne Callister

on 19 Jul 2022


Collecting sensitive personal data has become a necessity for businesses. We explain what special category data is and how to stay GDPR compliant.

6 Tips for Sensitive Personal Data Compliance

Special category data is particularly important as the use of this data could create significant risks to an individual's fundamental rights and freedoms. It is, therefore, vital that this information be treated with greater care.

What is special category data?

Personal data is information that relates to an identifiable individual or data subject. Sensitive personal data is that falling into special categories as defined by the GDPR.

Special category data includes gathered, inferred or guessed details about someone which fall into one of the categories below. It depends on how certain that inference is and whether you are deliberately drawing that inference.

The GDPR defines special category data as:

  • Personal data relating to racial or ethnic origin;
  • Personal data relating to political opinions;
  • Personal data relating to religious or philosophical beliefs;
  • Personal data relating to trade union membership;
  • Genetic data;
  • Biometric data (where it is used for identification purposes);
  • Data relating to health;
  • Data about a person's sex life;
  • Data about a person's sexual orientation.

Free GDPR Personal Data Awareness Poster

Tips for dealing with sensitive personal data

1. Be clear what data is special category data

Make sure you're clear about what is classed as sensitive personal data (special category data). Broadly, as previously under the Data Protection Act, it includes any data relating to race or ethnic origin, religious or political beliefs (including trade union membership), data on health, sex life or sexual orientation. However, under GDPR, special category data also includes genetic and biometric data (see Article 9).

2. Assess your current data processes

Find out what special category personal data is currently collected and processed by your firm. Is it legitimate and lawful?

3. Be clear about the legal basis for processing

Ensure that you accurately record the legal basis for your data processing. For example, whether you have explicit consent, whether it is required for the performance of specific contracts, or for other specific purposes (such as the public interest or the vital interests of an individual).

Free Information Security Training Presentation

4. Assess the impact of holding the data

Conduct a Data Protection (DPIA) and/or Privacy Impact Assessment (PIA). We all have a duty to do so where there is a high risk to the rights or freedoms of data subjects. Remember, individual consent may not be enough and you may also need processing to be sanctioned by the data protection authority where risks are high.

5. Take extra care with health-related data

The definition of health data is broad under GDPR and includes past, present or future physical or mental health, information from testing or examination of a body part or bodily substance, genetic and biological samples, information on diseases or risk, disability, medical history, clinical treatment, and so on. Be aware that the different EU Member States may also have separate regimes.

6. And with criminal offence data

Criminal offence data are dealt with separately under GDPR (see Article 10) and this type of data is now subject to greater restrictions.

Free GDPR Self-assessment Questionnaire

Consequences of misusing special category data

Facebook received a fine from the Spanish data privacy regulator for its, generic and unclear privacy policy which it claims did not "adequately collect the consent of either its users or nonusers, which constitutes a serious infringement".

The company collected special category data (sensitive personal data) on gender, religious beliefs, etc without obtaining express consent and tracked users on third-party sites.

In France, Facebook was fined €150k by CNIL, the data protection regulator, for collecting user data without their consent or without a legal basis.

Whilst the Dutch data regulator also found evidence that Facebook had used sensitive personal data on sexual preferences to target adverts but chose not to impose any financial penalty.

GDPR Personal Data Desk Aid

Want to learn more about GDPR?

To help you plan and execute compliance in your organisation, we have created a comprehensive GDPR roadmap.

Our best-selling Compliance Essentials Library and award-winning LMS provide a one-stop compliance training solution, including GDPR compliance e-learning

And our searchable GDPR compliance glossary explains key terms and regularly report on learnings from the largest compliance fines resulting from regulatory breaches.

We also have 80+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!

If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.

Last but not least, you can interact in person with thought leaders and your peers at one of our popular live webinars and face-to-face events.

If you've any questions or concerns about compliance or e-learning, please get in touch.

We're happy to help!

Compliance Essentials

Compliance Essentials Library is our best-selling comprehensive corporate training solution.

100+ e-learning and microlearning courses that help companies from SMEs to multinationals achieve compliance success.

Start a Free Trial

cta-banner-placeholder