Under the UK and EU GDPR (General Data Protection Regulation), organisations are required to protect a wide range of data — but not all personal data is treated equally. A critical distinction exists between personal data and special category data (formerly known as sensitive personal data), and understanding the difference is vital for ensuring your organisation’s compliance.
As enforcement actions continue to rise in 2025 — with fines regularly exceeding millions of pounds — failure to distinguish between these categories can lead to disproportionate risk exposure, reputational harm, and even criminal liability.
Let’s break down what qualifies as personal data vs special category data, when each applies, and how to handle both responsibly in today’s regulatory landscape.
What is personal data?
Article 4(1) of the GDPR defines personal data as:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly…”
This includes:
- Name
- Email address (especially work emails like [email protected])
- Telephone number
- IP address
- Employee ID or customer ID
- Location data
- Cookies (when tied to identifiable users)
- Photos or CCTV footage
Essentially, any information that can be linked to a living individual — even indirectly — is considered personal data.
For example, a hotel chain using facial recognition to streamline check-ins must treat the collected biometric data as personal data at a minimum – and, depending on use, possibly special category data too.
What is special category (sensitive) data?
Special category data is a subset of personal data that is afforded extra protections because of its sensitive nature. This includes data revealing:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (where used for identification)
- Health information
- Data concerning a person’s sex life or sexual orientation
This is outlined in Article 9 of the GDPR, which generally prohibits the processing of such data unless specific legal conditions are met.
Key differences between personal data and special category data
| Personal data | Special category data | |
| Protection level | Standard GDPR protections | Elevated protections |
| Requires DPIA (data protection impact assessment)? | Sometimes (risk-based) | Often required |
| Lawful basis needed? | Yes (Art. 6 GDPR) | Yes (Art. 6 and Art. 9 GDPR) |
| Can be processed for marketing? | Yes, with consent or legitimate interest | Generally not, unless specific exceptions apply |
| Breach reporting threshold | Risk to rights/freedoms | High risk – always report and notify subject |
Lawful bases for processing special category data
You cannot simply rely on legitimate interest for processing special category data. You must identify a lawful basis under Article 6 and an additional condition under Article 9, such as:
- Explicit consent from the data subject
- Employment or social protection law compliance
- Vital interests (e.g. medical emergencies)
- Establishment, exercise, or defence of legal claims
- Public interest in public health
The UK ICO (Information Commissioner’s Office) and EU regulators have increased scrutiny around the misuse of “explicit consent.” Make sure consent is specific, granular, informed, freely given and documented.
Examples in practice (2025)
Personal data example: An e-commerce store collecting customers’ names and addresses for delivery purposes.
Action required: Ensure privacy notice transparency and data minimisation.
Special category data example: A corporate wellness programme collecting employees’ heart rate data through fitness trackers.
Action required: Conduct a DPIA, obtain explicit consent, and apply encryption and access controls.
Why it matters in 2025
As of Q1 2025:
- Over 60% of GDPR-related fines involved mishandling of special category data (source: EDPB Reports).
- Health tech, HR platforms, and AI-driven applications are under particular scrutiny for improperly storing or profiling sensitive data.
- UK and EU courts have reinforced that failure to implement additional safeguards can breach Article 32 (Security of Processing) even if a breach doesn’t occur.
Tips for compliance
- Know what data you collect – Conduct regular audits to identify both personal and special category data.
- Limit collection – If you don’t absolutely need it, don’t collect it.
- Document lawful bases – Keep a record of your Article 6 and Article 9 justifications.
- Encrypt and restrict access – Especially for special category data.
- Train your staff – Make sure everyone handling data understands the distinction and implications.
Avoid a regulatory fine with GDPR training
Gain a comprehensive introduction to the GDPR with our one-day GDPR Foundation training course.
The course gives you a clear understanding of the main elements of the GDPR. Plus, we welcome questions during the training to help you gain a deeper understanding of anything you are uncertain of.
A version of this blog was originally published on 18 July 2018.
The post The GDPR in 2025: What’s the Difference between Personal Data and Special Category Data? appeared first on IT Governance Blog.
