The General Data Protection Regulation (GDPR) has defined a subsection of personal data known as “special category data” or data that regulators consider extremely sensitive. Under the GDPR, organizations are required to take extra measures to protect this sensitive personal information.
Follow this list of best practices for collecting and handling special category data to ensure GDPR compliance and keep your customers’ confidential data safe.
» How do you protect sensitive information? Consider these security methods to protect sensitive information
What Is Special Category Data?
What is it about certain data that makes it special? The GDPR defines special category data as personal information that could cause significant privacy issues for the individual involved if it were leaked or lost. This includes:
- Biometrics or genetics
- Health
- Political opinions
- Race or ethnicity
- Religious or philosophical beliefs
- Sexual orientation or sexual life
- Trade union membership
Bulleted List
The risks involved in the misuse of special category data include identity fraud, in addition to reputational damage, embarrassment, discrimination, and personal harm. Note that information surrounding children and criminal records aren’t included but are addressed by separate laws.
» How is special category data different from personal data? Compare PII vs sensitive data vs sensitive PII
Best Practices to Process Special Category Data
Article 9 of the GDPR outlines when and how businesses should process special category data. Under normal circumstances, processing such data is prohibited unless absolutely necessary and justifiable. The conditions for processing special category data are outlined in Article 9 and summarized below:
1. Get Explicit Consent
Businesses can only process special category data if they have express consent from the data subject or if the subject has publicized the data themselves. Otherwise, a business has no legal right to process special categories of data.
It’s important to note that even with explicit consent from the data subject, EU member states can still prohibit data processing at their discretion. Consulting a compliance expert and having a clear and thorough consent process are important best practices to ensure you get explicit consent from your data subjects.
2. Process Only Necessary Data
Needed for Employment, Social Security, and Protection Law
Necessary special category data may be processed if it’s required to fulfill obligations or exercise specific rights of the data subject concerning employment, protection, and social security law.
This processing must be authorized by Union or Member State law or a collective agreement and must have appropriate safeguards in place.
Protect the Vital Interests of the Data Subject or Others
Processing special category data may also be permitted if it’s necessary to protect the vital interests of the data subject or another person, such as in cases where health information is required for medical care. This also applies when data processing is necessary for filing, pursuing, or defending legal claims or whenever courts are involved.
3. Archive For Research Purposes
GDPR also allows for processing special category data when it’s related to archiving in the public interest or for statistical purposes to enable researchers and statisticians to conduct their work without undue interference from businesses (including scientific and historical research).
This type of processing must be based on Union or Member State law. It must also have strict protections in place to ensure the rights and interests of data subjects are respected.
4. Consider Public Interest and Health
Special category data can be processed when absolutely necessary for reasons of substantial public interest or to protect public health. This includes cases where it’s required for disease control or prevention and monitoring of medical products or devices.
5. Assess the Ability to Work, Rehabilitation, or Treatment
Finally, processing special category data may be necessary to carry out preventive or occupational medicine, assess a person’s work ability, or provide rehabilitation or treatment.
Conclusion
Overall, special category data is highly sensitive and requires careful handling to protect the rights and interests of data subjects. As a business owner, it’s important to be familiar with GDPR related to special category data and the best practices for implementing appropriate safeguards and obtaining consent from your data subjects.
Developing strong data processing policies and conducting risk assessments can help protect your business while ensuring compliance with GDPR and avoiding GDPR fines.
» Worried about GDPR compliance? Explore PieEye’s GDPR compliance solution
