Personal data vs Sensitive Data: What’s the Difference?

At the heart of the GDPR (General Data Protection Regulation) is the concept of ‘personal data’.

But what constitutes personal data? Are names and email addresses classified as personal data? What about photographs and ID numbers?

And where does the related concept of ‘sensitive personal data’ fit in?

If you’re unsure of the difference between personal and sensitive data, keep reading. We explain everything you need to know and provide examples of personal and sensitive personal data.



What is personal data?

In the most basic terms, personal data is any piece of information that someone can use to identify, with some degree of accuracy, a living person.

For example, the email address [email protected]” is considered personal data, because it indicates there can only be one John Smith who works at Company X.

Likewise, your physical address or phone number is considered personal data because you can be contacted using that information.

Personal data is also classed as anything that can affirm your physical presence somewhere. For that reason, CCTV footage of you is personal data, as are fingerprints.

That sounds simple enough so far. However, things get complicated when you factor in that each piece of information doesn’t have to be taken independently.

Organisations typically collect and store vast amounts of information on each data subject. The sum of that information can be considered personal data if it can be pieced together to identify a likely data subject.

Think of it like a massive game of Guess Who?

Under certain circumstances, any of the following can be considered personal data:

gdpr sensitive personal data examples

You might think that someone’s name is always personal data, but as the ICO (Information Commissioner’s Office) explains, it’s not that simple:

“By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”

However, the ICO also notes that names aren’t necessarily required to identify someone:

“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”


What is sensitive personal data?

Sensitive personal data, also known as special category data, is a specific set of “special categories” that must be treated with extra security.


Sensitive personal data examples

Here are some examples of sensitive personal data:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data;
  • Data related to a person’s sex life or sexual orientation; and
  • Biometric data (where processed to uniquely identify someone).

Sensitive personal data should be held separately from other personal data, preferably in a locked drawer or filing cabinet.

As with personal data generally, it should only be kept on laptops or portable devices if the file has been encrypted and/or pseudonymised.


A common misconception about the GDPR is that all organisations need to seek consent to process personal data.

In fact, consent is only one of six lawful grounds for processing personal data. The strict rules regarding lawful consent requests make it the least preferable option.

However, there will be times when consent is the most suitable basis. Organisations need to be aware that they need explicit consent to process sensitive personal data.

Nuances like this are common throughout the GDPR. Any organisation that hasn’t taken the time to study its compliance requirements thoroughly is liable to be tripped up.

This could lead to lasting damage, such as enforcement action, regulatory fines, bad press and loss of customers.

Broaden your knowledge with free training

Although the GDPR has been in effect for almost half a decade now, many organisations still struggle to understand their compliance requirements.

It’s no surprise. The Regulation is a complex topic, and it’s hard to find people with the necessary expertise to handle the countless processes, policies and technologies that will provide compliance success.

Anyone who possesses those skills will be in high demand and able to command large salaries, but with the cost-of-living crisis affecting organisations across all sectors, it’s often not possible to bring in specialised personnel.

The best way to combat this challenge is to upskill your existing staff. You’ll gain in-house data protection expertise while the employee will gain valuable new skills that can boost their career.

If you think you or someone one your team is ready to take the next step, IT Governance offers a range of training courses.

Plus, when you book a place on selected classroom courses before the end of March, you’ll get a free place* on our DPIA (data protection impact assessment) or cyber incident response management courses.


A version of this blog was originally published on 18 July 2018.

The post Personal data vs Sensitive Data: What’s the Difference? appeared first on IT Governance UK Blog.