Sensitive data—also known as special category data or sensitive personal data—is confidential information that you should only make available to people who have the right permissions to access it.
Data is not considered sensitive if it’s:
But what types of personal data are considered sensitive? Let’s find out.
You’ll need to store sensitive data like this separately from other personal data. And, when you store it digitally, you’ll also need to encrypt it or remove any personally identifiable markers.
This last point also applies to personal data, but there are also some important differences between the two types of information. Let's find out what they are.
In short, no. There are much tougher rules that apply to processing and storing sensitive data.
Personal data is any information that someone could use to identify an individual or establish their physical presence at a location. Things like CCTV footage, fingerprints, physical addresses and phone numbers, for example. So, if you can use a piece of information to identify a data subject, you’re dealing with personal data.
But sensitive data is whole different level. It’s the type of information that could cause harm to an individual if you disclosed it. As such, the regulations protect it on legal, ethical or other relevant grounds.
Even when exploring non-sensitive data, you’ll still need to exercise some caution. Because although some pieces of data aren’t individually sensitive, when combined they could help someone to identify a data subject. Things like:
This isn't an exhaustive list—non-sensitive personal data can apply to any type of personally identifiable information even if it doesn’t qualify as special category data.
Once you’ve identified sensitive data, you’ll need to determine how sensitive it is. Only then can you work out the level of protection that it needs.
There are several ways to do this. A key first step when measuring the sensitivity of data is to consider its confidentiality, integrity and availability. In other words, how bad would it be for your data subject (and your business) if this data were released?
Make sure data is protected from unauthorized access but easily accessible to permitted parties. Some confidentiality countermeasures include:
Ensure data remains consistent and accurate throughout its lifecycle and that information isn’t changed or tampered with. Some integrity countermeasures are:
Make data available when people need it. And make sure you protect it with relevant security controls and using countermeasures like these:
Okay, great. You’ve assessed the sensitivity of the data your organization collects! But have you considered the legalities involved when you process it?
There are six lawful grounds for processing personal and sensitive data: consent, contractual obligations, legal obligations, vital interest, public interest and legitimate interest. These grounds determine if you have a legal basis for processing sensitive data or not.
Article 6 and 9 of the UK GDPR lay down these requirements, and here they are:
If you don’t stay up to date with the compliance requirements for processing sensitive data, your organization could be liable for damages.
You need to clearly notify individuals about the data you're collecting, the reasons why, and what you intend to do with it. The UK GDPR states that you have to get the explicit consent of the data subject. You’ll also need to:
If you don’t, you run the risk of lasting damage to your organization’s reputation, and regulatory fines and legal action.
Sensitive data requires a higher level of consideration and protection than personal data because its release could potentially harm the data subject. To stay compliant with regulations like the UK GDPR, organizations need a clear and structured approach.
An all-in-one platform for security and compliance simplifies data protection by providing guided frameworks that help bridge skill gaps and streamline security efforts. With the right tools, your organization can confidently manage sensitive data, reduce manual work, and maintain consistency—no deep in-house expertise required.