Data privacy laws around the world like the GPDR in Europe have established a much-needed framework for the collection, use and storage of personal data. As a business, you cannot handle data however you want to. This is even more true of special categories of personal data, that, due to their nature, are subject to particular attention.
👀 In this article, we take a look at the GDPR definition of special categories and how you should handle this type of data.
The expression “special categories of personal data” is the GDPR’s way of referring to sensitive data. They are defined in GDPR Article 9 as data which is of:
🔍 Read our article for an overview of what is considered sensitive personal information around the world.
As you can see from the description above, sensitive personal data can be considered as more “invasive” or “risky” compared to regular personal data.
Sensitive information, in particular, could potentially lead to things like discrimination against individuals. Which is why you should be even more careful to avoid any sensitive data exposure.
Under the GDPR, for collecting or processing any type of personal data, you need to have explicit and informed consent from individuals, as well as give the necessary disclosures via a privacy policy.
While these requirements apply to personal data in general, there are some GDPR requirements that specifically apply to special categories of personal data. Here are 3 cases below.
🇺🇸 Needless to say, handling sensitive data calls for stricter rules outside Europe too!
👉 Check out our US State Privacy Laws Overview
A Data Protection Officer (DPO) is usually appointed by a company to ensure that personal data is processed following the applicable data protection rules.
Under Article 37 of the GDPR, you are legally-required to designate a DPO if you carry out certain types of processing activities, including when your core activities consist of large-scale processing of sensitive data.
💡 This means if the GDPR applies to you and if you process special categories of personal data on a large scale, you must appoint a DPO.
Similar to the previous DPO requirement, the GDPR especially requires you to carry out a DPIA when processing special categories of personal data on a large scale.
A Data Protection Impact Assessment allows you to analyze and minimize risks associated with personal data processing.
🔍 Here is a free template we have on DPIA. Click here to check it out!
Still under the GDPR, data controllers and processors are expressly required to maintain “full and extensive” up-to-date records of the company’s data processing activities when it involves handling special categories of data.
This can be quite challenging to implement!
🚀 That’s why we recommend using a dedicated tool like our Internal Privacy Management. It allows you to add processing activities from 1700+ pre-made options, divide them by area, assign processors and other member roles, and to document legal bases and other GDPR-required records.