What exactly is sensitive data? How are they different from regular personal data? How could the processing of sensitive data affect your business?
In this post, we’ll answer all these questions and show you what you may need to do to collect and process sensitive personal information.
The majority of legislations on data privacy mention special categories of personal data, which should be more carefully handled by the processor.
Sensitive data relates to the user’s racial or ethnic origin, religious belief, political opinion, health or sexual life data; or data that allows the unequivocal and persistent identification of the user, such as genetic or biometric data (for a more in-depth definition of sensitive information, you can read Article 9 of the GDPR).
They differ from regular personal data because they could potentially lead to the user’s discrimination, if shared.
The collection and processing of sensitive data is generally allowed. However, you may need to apply extra layers of security when it comes to it.
Let’s have a closer look at the main legislations and their specific requirements:
Under the GDPR, you may only process sensitive data if the user has given explicit and informed consent, meaning that they need to clearly understand what they’re consenting to.
The processing is also allowed if the data is of vital importance in matters of public interest, social security, health, ect.
If you collect and process personal data, and particularly if it’s a large scale processing, you need to appoint a Data Protection Officer (DPO) and to carry out a Data Protection Impact Assessment (DPIA).
Even though for the CCPA, the category of sensitive data falls under the category of regular personal data, you may need to ask the user to opt-in when sensitive information is at stake.
This is especially true when there are minors involved.
As the GDPR, the Brazilian LGPD allows the processing of personal data only if users have given their consent or if consent exceptions apply.
If your business collects and processes sensitive data, you may need to take extra steps to make sure you’re storing them securely.
Here’s what you may need to do:
See which laws apply to you and make sure you’re following the rules.
Here’s how iubenda’s solutions can greatly help when you’re processing sensitive data:
The solution to generate your Privacy Policy. Customizable from 1700+ clauses, available in 9 languages and self-updating