What’s the definition sensitive data? What are some examples? Can you process sensitive information under privacy laws, like the GDPR and the CPRA (CCPA amendment)?
In this post, we’ll answer all these questions and show you what you may need to do to collect and process sensitive personal information.
When we talk about sensitive data, we refer to special categories of personal information, which should be more carefully handled by the processor.
The main difference between regular personal data and sensitive data is that sensitive data could potentially lead to the user’s discrimination, if shared.
That’s because they include information such as race or ethnic origin, sexual orientation, religious beliefs, but also information about the user’s health, for instance.
International laws on data privacy may have different views on sensitive data. Anyway, there is one common ground: all the laws agree that you should collect and process sensitive data only if they are really necessary to your activity. If you do need to collect sensitive information, then you should store it securely and with the utmost care.
This article is a part of our series on data protection. Read also:
Different privacy laws may have different definitions of sensitive data. Anyway, we can find some examples in Article 9 of GDPR, that can apply more broadly.
In its special categories of personal data, the GDPR includes:
The collection and processing of sensitive data is generally allowed. However, you may need to apply extra layers of security when it comes to it.
Let’s have a closer look at the main legislations and their specific requirements:
Under the GDPR, you may only process sensitive data if the user has given explicit and informed consent, meaning that they need to clearly understand what they’re consenting to.
The processing is also allowed if the data is of vital importance in matters of public interest, social security, health, ect. If you collect and process personal data, and particularly if it’s a large scale processing, you need to appoint a Data Protection Officer (DPO) and to carry out a Data Protection Impact Assessment (DPIA).You can learn more about GDPR requirements here.
Even though for the CCPA (as amended by the CPRA) the category of sensitive data falls under the category of regular personal data, you may need to ask the user to opt-in when sensitive information is at stake. This is especially true when there are minors involved.
Since the CCPA did not include a definition sensitive information, it has been amended. The new California Privacy Rights Act (CPRA) will introduce sensitive personal information (SPI), which asks for a higher level of data protection.
As the GDPR, the Brazilian LGPD allows the processing of personal data only if users have given their consent or if consent exceptions apply.
If your business collects and processes sensitive data, you may need to take extra steps to make sure you’re storing them securely.
Here’s what you may need to do:
See which laws apply to you and make sure you’re following the rules.
Here’s how iubenda’s solutions can greatly help when you’re processing sensitive data: