How-to: GDPR gets personal and sensitive

The EU has reformed its laws around data protection for a couple of reasons; one is to help generate business in the EU by simplifying rules for companies in the Digital Single Market; the other is in response to Europeans' concerns about data protection. The GDPR aims to achieve this by having one set of EU-wide rules.

Starting with first principles, if the EU wants to protect personal and sensitive data, then how exactly are we to define 'personal' and 'sensitive'?

What is 'personal data'?

Personal data is defined as any piece of personal information that can be used to identify an
individual, either directly or indirectly. This includes information such as an individual’s:
  • Name
  • Telephone Number
  • Email address
  • Date of birth
  • Health information
  • Location data
  • Online identifiers such as IP addresses or cookies
Note that none of these has to be complete, if enough partial elements can be put together to positively identify an individual.

What is 'sensitive data'?

The GDPR defines ‘sensitive personal data’ as data which reveals an individual's:
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade Union membership
  • Genetic or biometric details, where processed to uniquely identify an individual
  • Health details.
Under the GDPR regulations, organisations are banned from processing sensitive data, unless the individual gives the data holder his or her permission or processing is allowed in specific cases.

Now we know what it is, what does GDPR allow us to do with it? Follow on. RC