GDPR (2) Special categories of personal data
The GDPR seeks to find a balance between the purposes for which organisations collect and use personal data and the right that all individuals have to the protection of their privacy. The nature and quantity of the processed data must always be proportionate to the purpose for which the data are used.
The extent to which personal data are sensitive varies widely. Some personal data are publicly known or are so widespread and easy to find that a data breach would cause hardly any problems and could not be considered a true invasion of privacy. Other types of data are so confidential that the GDPR has created special categories of personal data, to which additional rules apply. It is therefore crucial that you are aware from the outset whether the personal data that are to be processed belong in a special category.
The GDPR specifies the following special categories:
- Information about a person’s racial or ethnic origin
- Data relating to a person’s religious or philosophical beliefs
- Information about a person’s political opinions or trade union membership
- Data relating to a person’s sex life or sexual orientation
- Medical information
- Biometric identification data and DNA
- Information about criminal convictions and offences
As a general rule it is best not to collect or process any of the above data. However, if such data have to be collected and processed, the purpose for which, and the legitimate ground on which, this is done must be clearly recorded. Specific conditions have to be met for those special categories. When it comes to the different phases of data processing, stricter standards also apply with regard to information security, transfers of data to a location outside Europe, and the handling of data breaches in particular. We will therefore revisit this subject in future instalments of this blog.
With regard to personal data that do not belong in any of the special categories, it is still possible to make a distinction between data that have a low risk of invading privacy and more sensitive information. Financial information, for instance, is more sensitive than an address, and data concerning children must always be handled with extra care.
If you collect and use personal data, you must therefore always consider whether you really need the data in question for your intended purpose and how great the risk is that a person’s privacy may be invaded. The risk increases in line with the number of people concerned and the amount of data collected on them. This is essentially how the privacy impact assessment (PIA) is performed. An entire project may need to be set up for the PIA, or, depending on the circumstances, a simple weighing-up of the facts may be sufficient, but you always have to keep record.
In addition, a number of steps can be taken to reduce the sensitivity of the personal data that are to be processed.
- The best solution is use anonymous data. If the data have been correctly anonymised (meaning that the individuals cannot be identified any more), they no longer count as personal data and therefore the GDPR does not apply. Data used for academic research are always anonymised wherever possible, and this approach is also suitable for large scale data processing for marketing purposes. One of the methods that may be used is to combine data to form groups. If this method is chosen, the amount of data must be large enough to ensure each group always contains a reasonable number of individuals (a minimum of 50 people often applies). You need to be aware that the wider the variety of data you collect, the more likely it is that a person will be identifiable if data are combined.
- One commonly used method is pseudonymisation. In this method, all the elements in a dataset that identify an individual are removed and replaced by a meaningless key. The file containing the keys is stored separately. Although such data still qualify as personal data, because they relate to an identifiable person, the risk that there will be an impact on any of the persons concerned is much lower. Pseudonymisation is therefore a good security measure for sensitive data that have to be transferred, for example.
Although the definitions used in the GDPR for personal data, sensitive personal data and personal data that belong in special categories are essentially the same as those used in the old privacy legislation, a good understanding of them is needed as a starting point whenever the impact of the GDPR is considered. The next instalment of this blog will offer a more in-depth examination of what is meant by processing itself and of the roles that the law recognises. In that field there are significant differences between the GDPR and former rules.
Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals), which is the world’s largest organisation of privacy professionals.
If you have any questions or comments, please write to us at firstname.lastname@example.org.