Personal data vs Sensitive Data: What’s the Difference?

At the heart of the GDPR (General Data Protection Regulation) is the concept of ‘personal data’.

But what constitutes personal data? Are names and email addresses classified as personal data? What about photographs and ID numbers?

And where does the related concept of ‘sensitive personal data’ fit in?

If you’re unsure of the difference between personal and sensitive data, keep reading. We explain everything you need to know and provide examples of personal and sensitive personal data.

What is personal data?

In the most basic terms, personal data is any piece of information that someone can use to identify, with some degree of accuracy, a living person.

For example, the email address johnsmith@companyx.com” is considered personal data, because it indicates there can only be one John Smith who works at Company X.

Likewise, your physical address or phone number is considered personal data because you can be contacted using that information.

Personal data is also classed as anything that can affirm your physical presence somewhere. For that reason, CCTV footage of you is personal data, as are fingerprints.

That sounds simple enough so far. However, things get complicated when you factor in that each piece of information doesn’t have to be taken independently.

Organisations typically collect and store vast amounts of information on each data subject. The sum of that information can be considered personal data if it can be pieced together to identify a likely data subject.

Think of it like a massive game of Guess Who?

Under certain circumstances, any of the following can be considered personal data:

  • A name and surname
  • A home address
  • An email address
  • An identification card number
  • Location data
  • An Internet Protocol (IP) address
  • The advertising identifier of your phone
gdpr sensitive personal data examples

You might think that someone’s name is always personal data, but as the ICO (Information Commissioner’s Office) explains, it’s not that simple:

“By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”

However, the ICO also notes that names aren’t necessarily required to identify someone:

“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”

What is sensitive personal data?

Sensitive personal data, also known as special category data, is a specific set of “special categories” that must be treated with extra security.

Sensitive personal data examples

Here are some examples of sensitive personal data:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data;
  • Data related to a person’s sex life or sexual orientation; and
  • Biometric data (where processed to uniquely identify someone).

Sensitive personal data should be held separately from other personal data, preferably in a locked drawer or filing cabinet.

As with personal data generally, it should only be kept on laptops or portable devices if the file has been encrypted and/or pseudonymised.

A common misconception about the GDPR is that all organisations need to seek consent to process personal data.

In fact, consent is only one of six lawful grounds for processing personal data. The strict rules regarding lawful consent requests make it the least preferable option.

However, there will be times when consent is the most suitable basis. Organisations need to be aware that they need explicit consent to process sensitive personal data.

Nuances like this are common throughout the GDPR. Any organisation that hasn’t taken the time to study its compliance requirements thoroughly is liable to be tripped up.

This could lead to lasting damage, such as enforcement action, regulatory fines, bad press and loss of customers.

Avoid a regulatory fine with GDPR training 

gdpr foundation training

Gain a comprehensive introduction to the GDPR with our one-day GDPR Foundation training course.

The course gives you a clear understanding of the main elements of the GDPR. Plus, we welcome questions during the training to help you gain a deeper understanding of anything you are uncertain of.

Get started

A version of this blog was originally published on 18 July 2018.

About The Author

Luke Irwin

Luke Irwin is a former writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.