The General Data Protection Regulation (GDPR) has defined a subsection of personal data known as “special category data” or data that regulators consider extremely sensitive. Under the GDPR, organizations are required to take extra measures to protect this sensitive personal information.

Follow this list of best practices for collecting and handling special category data to ensure GDPR compliance and keep your customers’ confidential data safe.

» How do you protect sensitive information? Consider these security methods to protect sensitive information

What Is Special Category Data?

What is it about certain data that makes it special? The GDPR defines special category data as personal information that could cause significant privacy issues for the individual involved if it were leaked or lost. This includes:

  • Biometrics or genetics
  • Health
  • Political opinions
  • Race or ethnicity
  • Religious or philosophical beliefs
  • Sexual orientation or sexual life
  • Trade union membership

Bulleted List

The risks involved in the misuse of special category data include identity fraud, in addition to reputational damage, embarrassment, discrimination, and personal harm. Note that information surrounding children and criminal records aren’t included but are addressed by separate laws.

» How is special category data different from personal data? Compare PII vs sensitive data vs sensitive PII

Best Practices to Process Special Category Data

Article 9 of the GDPR outlines when and how businesses should process special category data. Under normal circumstances, processing such data is prohibited unless absolutely necessary and justifiable. The conditions for processing special category data are outlined in Article 9 and summarized below:

Businesses can only process special category data if they have express consent from the data subject or if the subject has publicized the data themselves. Otherwise, a business has no legal right to process special categories of data.

It’s important to note that even with explicit consent from the data subject, EU member states can still prohibit data processing at their discretion. Consulting a compliance expert and having a clear and thorough consent process are important best practices to ensure you get explicit consent from your data subjects.

2. Process Only Necessary Data

Needed for Employment, Social Security, and Protection Law

Necessary special category data may be processed if it’s required to fulfill obligations or exercise specific rights of the data subject concerning employment, protection, and social security law.

This processing must be authorized by Union or Member State law or a collective agreement and must have appropriate safeguards in place.

Protect the Vital Interests of the Data Subject or Others

Processing special category data may also be permitted if it’s necessary to protect the vital interests of the data subject or another person, such as in cases where health information is required for medical care. This also applies when data processing is necessary for filing, pursuing, or defending legal claims or whenever courts are involved.

3. Archive For Research Purposes

GDPR also allows for processing special category data when it’s related to archiving in the public interest or for statistical purposes to enable researchers and statisticians to conduct their work without undue interference from businesses (including scientific and historical research).

This type of processing must be based on Union or Member State law. It must also have strict protections in place to ensure the rights and interests of data subjects are respected.

4. Consider Public Interest and Health

Special category data can be processed when absolutely necessary for reasons of substantial public interest or to protect public health. This includes cases where it’s required for disease control or prevention and monitoring of medical products or devices.

5. Assess the Ability to Work, Rehabilitation, or Treatment

Finally, processing special category data may be necessary to carry out preventive or occupational medicine, assess a person’s work ability, or provide rehabilitation or treatment.

Conclusion

Overall, special category data is highly sensitive and requires careful handling to protect the rights and interests of data subjects. As a business owner, it’s important to be familiar with GDPR related to special category data and the best practices for implementing appropriate safeguards and obtaining consent from your data subjects.

Developing strong data processing policies and conducting risk assessments can help protect your business while ensuring compliance with GDPR and avoiding GDPR fines.

» Worried about GDPR compliance? Explore PieEye’s GDPR compliance solution

Get a
Demo
NOW

Fill up the form for 20% off on subscriptions!

First Name
Last Name
Company Email Address
Company URL

About the Author: Marc Parrish

Marc Parrish, Founder and CEO of PieEye INC., is a seasoned marketing expert with a rich history in the industry. Holding an MBA from UCLA and a background in Mechanical Engineering from the University of Michigan, Marc's expertise spans interactive marketing to product marketing. Based in San Francisco, his insights into the digital transformation of the U.S. retail sector are deeply informed by his vast experience and passion for various social causes.

Share This

Request a demo of our data privacy solution today and take control of your privacy strategy.

Get a
Demo
NOW

See how our platform ensures compliance and builds trust.

Discussion