Personal data and Sensitive Personal data are two common terms used when talking about GDPR. But there’s a distinct difference when referencing the two.
Personal Data
Definition under the Data Protection Act 1998 (DPA): “Data which relates to a living individual who can be identified.”
Definition under the GDPR: “Any information relating to an identified or identifiable natural person.”
Personal data would be information that can identify someone, this includes:
- A name and surname
- A home address
- An email address
- An identification card number
- An IP address
Sensitive Data
Definition under the GDPR: “Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
Sensitive personal data should be kept separate from others. Ideally in a locked draw or filing cabinet or should be kept on laptops or on portable devices if the file has been encrypted.
Six lawful grounds for processing data
There’s a misconception abut GDPR, which is that organisations only need to request consent to process personal data. But consent is only one of the six lawful bases that are needed:
- Consent – Consent should be a clear affirmative act establishing a freely given, specific and informed data. That is subject to the agreement of processing personal data relating to the person. This can be by a written statement, including by electronic means, or an oral statement.
- Contractual obligations – This is when a contract is established with a client/customer and may need their data in order to fulfil obligations as part of the contract. Or when a contract is yet to be made but the client/customer asks for an initial step (i.e a quote) and their data may be needed.
- Legal obligations – This is when personal data is needed for legal reasons
- Vital interests – This is when personal data is needed for safety reasons (i.e to protect someone’s life)
- Public interest – This is when data is needed “for the performance of a task carried out in the public interest” or “in the exercise of official authority”
- Legitimate interests – This is the most flexible of the six. This can include any type of processing carried out for any reasonable purpose.
How to keep data safe
There are a few basic principles you can follow to keep customer data secure. The top one being Digital security such as passwords and encryption. This helps minimise the risk of compromised or hacked files, whilst also complying with the General Data Protection Regulations.
It’s important to encrypt all files containing customer data at the document or page level, as it helps reduce any risks associated with file encryption. For more information on encryption, read Encryption: How It Works And What Should Be Encrypted.
In conclusion, you can avoid regulatory fines by understanding the implications and legal requirements for your business/ organisations.
If you would like further information on GDPR, feel free to contact us. Our team of experts are happy to help.
Read our last article on IaaS vs PaaS: The Future of Technology