Our Flagship Product: Synapse

What Is Sensitive And Personal Data

9th April 2018

25th May 2018 is a date that needs to be in the calendar of every business, large and small, in the UK and EU. This is when the new General Data Protection Regulations (GDPR) come into effect. After this date, companies that aren’t complying with the new regulations could be subject to significant sanctions. For a full overview of GDPR and what it might mean for you, please see our Understanding GDPR page.

The new requirements are complex, but they have one overarching goal: to improve the way that data is handled by corporations by protecting individuals. Part of this protection is adding clarity to the definitions of ‘personal data’ and ‘sensitive personal data’. As a business owner, you need to be aware of the new definitions, and what they mean to the way that you will be handling data.

Under the regulations, personal data is protected. Within personal data is a subcategory of sensitive personal data which must have further measures applied in order to comply.

Personal Data

According to the ICO, Personal Data is ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. Put simply, this is any information which could potentially lead to an individual being found, either physically or digitally. This could be:

  • Name
  • National Insurance Number
  • Email Addresses
  • Phone Numbers

However it also includes indirect identifiers such as:

  • Online usernames
  • Location data
  • IP addresses

Sensitive Personal Data

The ICO defines Sensitive Personal Data as a ‘special categories of personal data’. This is the data that could not only lead to identification, but deals with data that is of a discrete nature or could potentially place the individual in a compromising situation.

  • Racial or ethnic origin
  • Political position
  • Religious or philosophical beliefs
  • Genetic or Biometric Data
  • Sexual orientation

One you understand the nature of the data that you or your business handles, you’ll need to know your responsibilities regarding it. This depends on whether you are a controller or processor.

To determine if you’re a controller or processor, you’ll need to answer two questions:

  1. Do you or your business choose the way that data is collected
  2. Do you or your business choose the reason that data is collected

If you’ve answered yes to these, you’re a controller. This means that you’re responsible for implementing the measures that will protect the data you’re in control of. On the other hand, a processor is a business or entity that collects or processes data on behalf of others, without control over it.

For example, a doctor’s surgery or bank would be a controller as they collect the data for their own reasons, but a payroll company or a Digital Agency such as Zinc is a processor as they are acting on behalf of another.

Once you know what your business is classified as, you’ll be able to understand your obligations and get a gap analysis. Zinc Digital cannot offer advice regarding your GDPR compliance, but we can help you implement the suggestions recommended in a third party or internal gap analysis.

To discuss your gap analysis, get in touch with us today.

Our accreditations - you're in safe hands...

Accreditations

Sponsored for digital
business growth by:

Northampton County Council