Tags
Read time
4 min read
Last updated
May 14, 2024
🆕 Are hidden website trackers putting your brand at risk? Find out now! 🔎
Data security is a priority in the digital world as businesses, individuals, and organizations expand their online presence, exposing data to more vulnerabilities alongside the growing number of touchpoints.
While your company's cybersecurity efforts conventionally focus on safeguarding personally identifiable information (PII), there are other concerns that have emerged in recent times, particularly sensitive personal information (SPI). It is critical to understand the significance of SPI to keep your data systems and networks compliant with stringent standards like the General Data Protection Regulation (GDPR).
Personal data refers to any information you can use by itself or with other data to identify an individual. When accessed, it is possible to identify a specific person, which could result in a breach of their privacy and personal security concerns. Examples of personal data or PII include:
Sensitive data (or SPI) refers to a branch of personal data that jurisdictions identify as requiring a higher standard of care and security measures due to their vulnerable nature, which makes them more easily exploited and manipulated by cybercriminals. Also, since SPI does not directly identify an individual, it could prove more challenging to categorize them as they could escape detection by a company's regular data loss prevention (DLP) strategies.
Unauthorized use of sensitive personal data or SPI could result in the discrimination, harm, damage, or embarrassment of data subjects. As such, it is important to identify data that fall under this category and take extra precautions when processing such information under strict GDPR guidelines. The GDPR's Recital 51 classifies sensitive personal data as such because it "requires a higher degree of protection due to the nature of the information and because the processing of the information could create significant risks to the fundamental rights and freedoms of the data subject.
You can refer to the following checklist for a quick assessment of personal data examples.
No, an individual's date of birth is considered a type of non-sensitive personally identifiable information. However, it is important to note that malicious individuals can combine a person's date of birth with other information to orchestrate criminal acts like identity fraud.
No. A person's name and address are considered PII as they link to a person's identity. The information is often collected by online forms for various purposes, such as the filling in of online particulars.
No, an individual's gender counts as non-sensitive personally identifiable information.
Yes, a person's religion or philosophical beliefs fall under sensitive personal data. While these pieces of information do not identify a person, cybercriminals may pair them with other information and exploit them to cause reputational damage, discrimination, and physical harm.
Yes, an individual's ethnic and racial background counts as sensitive personal data.
It is important to recognize the differences in storing and managing sensitive personal data compared to the procedures for PII, especially with regard to GDPR guidelines. The GDPR allows the processing of PII as long as companies comply with legal conditions and requirements and undergo the necessary security measures. In contrast, the GDPR strictly prohibits organizations from processing special categories of personal data unless it has a lawful basis or meets one of the conditions outlined in Article 9, such as receiving explicit consent from the data subject for data use in fulfilling specified purposes.
The processing of sensitive personal data includes the storage, collection, retrieval, consulting, sharing, erasing, or destruction of the information. Companies fall into two categories regarding data management, each with a distinct set of responsibilities, risks, and purposes. It is important to identify your organization's specific role for the best practices.
Essentially, data processors manage sensitive personal data based on the instructions from a data controller, often in a third-party capacity. It is crucial for data processors to specify their exact duties to the data controller for legal purposes. The agreement between processors and controllers should also include detailed explanations of how data gets managed at the end of a contract between processors and controllers. Doing so ensures a smooth succession of data management while avoiding legal disputes. Data processor responsibilities may include:
Determining the type of data collected and their specific purpose.
Planning and establishing the timeline of stored data.
Deciding data sharing methods and the parties involved.
Modifying or changing data.
Acquiring legal rights and following the proper guidelines for personal data collection and consent management.
Companies functioning as data processors determine the purpose and the means involved in processing sensitive personal data. Data controllers have more significant duties and responsibilities in safeguarding sensitive personal data than partnered data processors since they decide the how and why behind data usage. Essentially, a data controller oversees much of the data privacy impact assessment (DPIA). Data controller responsibilities may include:
Ketch makes consent banner set-up a breeze with drag-and-drop tools that match your brand perfectly. Let us show you.
