The processing of personal data has always been among the burning issues that privacy lawmakers have to deal with. Considerable legislation has been drafted for this issue, and countries spend a lot of money and manpower to ensure that personal data is indeed protected. The General Data Protection Directive is no different, containing a number of provisions for handling of personal data.
The GDPR makes a distinction between regular personal data and sensitive personal data. There are considerable differences between the processing of these two types of personal data. It also redefines the very meaning of ‘personal data’ compared with the present legislation, so that is worth exploring as well. Besides, it can be difficult to determine what falls under ‘personal data’ nowadays.
Most company owners are already aware of the guidelines for data processing, but the GDPR does introduce certain changes that should be taken into account.
The GDPR: Old Wine in New Bottles?
The currently valid Data Protection Directive already distinguishes between personal and sensitive data. The European Commission considers ‘any information relating to an individual, whether it relates to his or her private, professional or public life’ as personal information.
- Section 1(1) Data Protection Act defines personal data as ‘any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’.
- Article 4(1) of the GDPR defines personal data as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’
These definitions are very wide and although the latter is very precise, there could be sticking points. For example, would you consider IPs and cookies as personal data? (The Commission does.) A good rule of thumb is: If you doubt whether the data is personal or not, treat is as if it were. These conundrums deserve a guide of their own; for now, we shall focus on sensitive personal data.
Sensitive Personal Data
Sensitive data, or, as the GDPR calls it, ‘special categories of personal data’ is a category of personal data that is especially protected and in general, cannot be processed.
Under the current Data Protection Directive, personal data is information pertaining to
- one’s racial or ethnic makeup
- political stances
- religious beliefs
- trade union membership
- (mental) health condition
- sexual orientation and
- criminal files and court proceedings
The GDPR encompasses these guidelines as well, but updates them to include two novel categories of sensitive data:
- biometric data
- genetic data
The GDPR therefore redefines certain aspects of defining sensitive and personal data compared to the DPD. However, the difference is insignificant. The main changes lie in the requirements for processing.
Conditions for Processing Sensitive Data
In order to process any personal data at all, you must comply with the basic data processing principles, as outlined in Article 5. This article specifies the following requirements:
- Data must be processed lawfully, fairly and transparently
- It must be collected for a specific purpose
- Processing must be as limited as possible and use as little data as possible
- Data must be as accurate as possible
- Personal data should be pseudonymized or/and encrypted
- Adequate data protection measures must be taken.
Not only that, but you must also demonstrate that there are sufficient reasons (conditions) for processing. In other words, you should obtain consent for the processing of personal data. Sometimes, you will have to do it in order to comply with a legal obligation, in cases of public interest, vital interests of the individual, or to perform a contract with the individual (such as for the provision of online services and the like). You can also have a legitimate interest for the processing of data, unless it is overridden by the individual’s interests.
But that works for personal data, not sensitive personal data. What can you do with those?
As per Article 9(1) of the GDPR, processing of sensitive personal data is prohibited.
However, this prohibition is to be taken with a grain of salt. The list of exceptions is numerous and even larger than the DPD. This means the GDPR actually gives additional grounds to companies for the processing of sensitive personal data (listed in bold text below).
You can process sensitive personal data if:
- You have obtained explicit consent from the individual, unless prohibited by law
- The processing is necessary for exercising the subject’s rights in employment, social security and social protection law, if adequate safeguards are present
- The data is processed for the protection of vital interests of the data subject, when he or she is unable to give consent
- Non-profit organizations do it, but only with their own (including former) members and only for narrow purposes within the organization
- The sensitive personal data has evidently been made public by the individual
- It is required for legal action, claims or by the court
- There are reasons of substantial public interest
- There are public health reasons for the processing (the prevention of epidemics etc.)
- For scientific, archival, historic, research or statistic purposes (pseudonymized)
Do note that the Member States may limit or expand the conditions regarding health, biometric and genetic data as they see fit.
What do I Do?
If you are in line with the general DPD principles regarding data processing, in this case you are on a good track. The changes are not numerous nor insurmountable, and the current guidelines are mostly replicated, even expanded, within the GDPR.
Note that even if you do make use of those exceptions for data processing, if challenged or investigated, the onus is on you to prove that such processing was indeed necessary and proper. You can do this by keeping records of your data processing activities.
You should perform privacy impact assessments before processing personal data, and doubly so for sensitive personal data. Make sure you are making use of all data protection methods and proper organisational measures.
Ensure that you obtain quality consent from your users, clients or customers. Implied consent does not work even for personal data, so it certainly will not for sensitive personal data. The GDPR has more stringent consent requirements, so make sure you update your consent mechanisms.
Explicitly inform your users of any risks and potential benefits of you processing their data. Do not hide the fact that certain categories are sensitive. Consent must be explicit and informed in order to be valid. Be particularly mindful of children, who should not be able to give consent on their own, requiring parental consent instead.
However, keep in mind that if you process health, genetic or biometric data, you could be affected by the changes enacted by the Member States. Carefully monitor any changes in legislation in the countries where you operate.
The guidelines for processing sensitive personal data in the GDPR do not deviate much from the DPD, and so adapting to the new legislation in this regard should not be difficult.
However, ensure that your current mechanisms are good enough. The fines are very high and ensuring the proper processing of personal data will certainly be among the top priorities of the regulators. Do not expect them to ‘go easy’ on companies once they find irregularities, especially in this regard, amidst controversies regarding personal data processing and breaches.
Furthermore, a good mechanism of processing of sensitive data will benefit your company as well, since you will be safer against the risks of data breaches, and also gain respect from your users for transparency and reasonable use of data.