Understanding Personal and Sensitive Data: GDPR Personal Data Types Explained

Key Takeaways

• Personal data under UK GDPR includes any identifiable information about individuals, requiring compliant handling.
• Sensitive personal data is not a term defined by data protection laws although was a term used previously under the Data Protection Act 1998. While no longer a legally accepted term, the use of this term generally suggests that stricter processing conditions are required due to potential harm from misuse. This will often be assessed based on context.
• Sensitive personal data was replaced under the GDPR by special categories of personal data and includes categories such as health, racial origin, and political opinions. Sensitive personal data under previous data protection legislation also included information about criminal offences and convictions and this is now categorised separately under the UK GDPR.
• Compliance with GDPR is essential for organisations managing personal and any kind sensitive data including special category personal data, necessitating robust security measures, regular audits, and appropriate training for personnel.

What is Personal Data under UK GDPR?

Personal data is defined under the UK GDPR to cover any information related to an identified or identifiable natural person. This includes straightforward identifiers like names, addresses, and phone numbers, but also includes less obvious data such as IP addresses, and cookie IDs. You may sometimes see the term pseudonymised data, which is data that should not directly identify an individual, but is still personal data because there will be additional information held by the controller that can be used for identification.

Organisations need to understand this definition to know what information falls under GDPR’s purview and must be handled in accordance with data protection laws. The General Data Protection Regulation (GDPR) mandates that personal data can be processed through automated means or as part, or intended to form part, of a filing system where it is manual data.

Examples of Personal Data in Everyday Contexts

Personal data is not just confined to obvious identifiers like names and addresses. It includes any information that can relate to a specific individual. The context in which data is used often determines whether it is considered personal data. For example, a user’s full name, email address, and complaint details in a customer support log are personal data.

Even seemingly routine data can qualify as personal data if it enables identification. Conversely, aggregate statistics like “30% of users accessed the service via mobile” do not constitute personal data where they do not enable the identification of individuals.

Recognising personal data often involves understanding the context and potential for identification. Whether it’s health data, credit card details, or social identity, appropriate security through organisational and technical measures are essential to safeguard sensitive information and maintain compliance with data privacy laws.

Watch our discussion on personal data terminology 

The Tkm & Associates team got together to explain personal data and special categories of personal data. 

Defining Special Categories of Personal Data

Special categories of personal data include information such as:

• An individual’s ethnicity or race
• Political views
• Religious beliefs
• Health status

This category is subject to stricter processing conditions due to its potential to cause harm if misused. For example, biometric data used for identifying individuals is classified as a special category of personal data.

Other special categories of personal data include trade union membership, genetic information, and details about an individual’s sexual orientation. The General Data Protection Regulation (GDPR) imposes stringent requirements on processing such information to prevent misuse and protect individual privacy.

Heightened protection means organisations must handle special categories of personal data with extra care. Encrypting special categories of personal data and limiting access to authorised personnel are likely to be critical steps in complying with data protection regulations and safeguarding any sensitive information, and any organisational and technical measures must take into account the risk associated with the data.

Examples of Special Categories of Personal Data in Practice

Consider the following examples of special categories of personal data under the UK GDPR:

• A medical record noting a patient’s diagnosis of diabetes and their prescribed treatment plan.
• Records of an employee’s trade union membership.
• Records of an employee’s religious beliefs.

All personal data requires a lawful basis under data protection laws although these examples also require a condition for processing and careful handling of such data.

By contrast, a customer database containing names, postal addresses, and purchase histories does not fall under the special category, though it still requires protection as personal data.   For some people, their own address may be extremely sensitive and therefore the context will demand additional safeguards are put in place.

Similarly, an employee’s payroll record showing salary and tax code is personal data is likely to be considered sensitive personal data but is unlikely to include special categories of information.

Recognising the types of information handled and ensuring proper data protection measures is necessary for compliance. Healthcare information collected through fitness trackers, for example, will almost certainly be special category personal data and therefore demands higher security standards.

Key Differences Between Personal and Sensitive Data

While all personal data must be handled with care, special categories of personal data demand stricter processing rules due to its increased vulnerability and generally being associated with a higher risk of harm to data subjects if it is misused. It’s likely that the unauthorised disclosure of special categories of personal data will have more severe repercussions for individuals, compared to regular personal information.

Special categories of personal data include information about an individual:

• Race or ethnicity
• Political beliefs
• Religious beliefs
• Philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data
• Health status
• Sexual orientation
• Philosophical beliefs

Handling this data requires a legal basis from Article 6 of the UK GDPR as well as a condition under Article 9 of the UK GDPR.  Furthermore, some special categories of personal data will also require a condition from Schedule 1 of the Data Protection Act 2018.

In addition to special categories of personal data, there will also be other personal data that are regarded as sensitive.  Finance information is one example of information which most people would expect to be restricted to a need-to-know basis.  Sensitive is not defined by the legislation, although is often used for information that people find sensitive, which should be risk-based on both a data and processing activity perspective.

Effective compliance and risk management require understanding these key differences. Organisations must implement appropriate organisational and technical measures, which are likely to mean robust data security measures are needed to protect sensitive information (including special categories of personal data) and ensure they meet all regulatory requirements.

Recognising Personal Data vs Personal Sensitive Data

Determining whether personal data is sensitive is crucial for understanding legal responsibilities, as the law requires appropriate technical and organisational measures to be implemented to safeguard the data. Different industries have specific examples that illustrate these distinctions clearly.

We’ll explore these through scenarios in:

• healthcare
• employment
• customer interactions
• biometric data
• political party membership, considering one or more factors.

This will help you to understand the practical applications of these definitions in various contexts.

Healthcare Information: A GP surgery storing personal information of patients

In a healthcare setting, personal data might include a patient’s name, date of birth, and phone number. However, special category personal data encompasses details of a person’s mental health diagnosis and prescribed medication. Appropriate protection of data in healthcare is critical due to the sensitive nature of the information.

Securing medical records and public health data is paramount. Data breaches in this sector can have severe consequences, necessitating robust data security measures.

Employment Records: A law firm holding employee records containing personal information

Employment records at a law firm will contain personal data such as job titles, work email addresses, and employee numbers. Special category personal data might include records of absences due to illness.

Protecting employee data is essential for compliance with data protection law. Organisations must implement appropriate security measures to prevent unauthorised access and data breaches.

Customer Interactions: An online health supplements retailer storing personal information about customers

An online health supplements retailer might store personal data such as a customer’s phone number and recent order history. Special category personal data in this context could include information provided by the customer about a medical condition requiring dietary adjustments for a product.

Protecting customer data builds trust and ensures compliance with data privacy laws. Organisations must implement robust, appropriate data security measures to safeguard sensitive information and prevent data breaches.

Biometric and Image Data: A bank storing biometric and imaging data for secure access to an office and its computer systems

At a bank, personal data might include facial recognition to uniquely identify individuals. Special category personal data includes biometric facial recognition data used for secure access to an office and computer systems, as well as when it is used as an online identifier.

Due to its sensitive nature, biometric data requires higher security measures. Banks must implement stringent access controls to restrict access and encryption to protect this information and comply with data protection regulations.  Again, as with all other types of special categories of personal data, the bank must have a condition for processing special category personal data as well as a lawful basis from Article 6 of the GDPR.

Membership Information: A political party storing personal information about its party members

A political party might store personal data such as a member’s name, postal address, and membership ID although, in this context, all personal data stored is likely to be special category of personal data.  The fact that a political party is storing the data is likely to indicate political affiliation and there is a condition under Article 9 of the GDPR to allow organisations such as political parties to process special category personal data for legitimate activities.   In this context other information includes records showing an individual’s voting history in internal party leadership elections.

Political parties, along with all other organisations, must implement robust data security measures to safeguard sensitive information.

Legal Grounds for Processing Personal and Special Categories of Personal Data

The General Data Protection Regulation (GDPR) outlines various lawful bases for processing personal and sensitive data. Processing special category data requires documenting both a lawful basis from Article 6 and a condition from Article 9 of GDPR, one of which is explicit consent although there are lawful basis and conditions.

Transparency is necessary which is usually achieved through privacy notices and information provided to people about how their data is going to be processed must clearly communicate the lawful basis and specific purposes of data processing.

Security Measures for Protecting Personal Data

The processing of personal data requires appropriate organisational and technical measures to be in place.  Good practices for protecting access credentials and personal data include:

• Stringent access management (application of need to know) and encryption of personal data where appropriate.
• Storing personal data on portable devices only if the file is encrypted and/or pseudonymised.
• Regular testing and auditing of appropriate security measures to assess their effectiveness and identify areas for improvement.

Risk assessments will help to establish suitable security levels based on data sensitivity and value. Data minimisation techniques involve limiting the collection, processing, and storage of personal data to the minimum necessary.

Compliance with Data Protection Regulations

The General Data Protection Regulation (GDPR) governs the processing of personal data in the EU and has been in effect since 2018. Compliance with GDPR and other data privacy laws is essential for organisations to handle all types of personal data responsibly and in accordance with their statutory responsibilities.

Organisations are required to conduct regular audits and maintain data handling policies to facilitate transparency to ensure ongoing compliance. Demonstrating compliance with data protection regulations is crucial for maintaining customer trust and demonstrating compliance. Non-compliance with GDPR can result in significant penalties. For organisations within the UK, fines can reach up to 4% of an organisation’s global annual turnover or £17.5 million, depending on which amount is greater, although the ICO (the regulator) has other enforcement tools at their disposal, including reprimands and regulatory action.

Implementing appropriate technical and organisational measures ensures the security of personal data and prevents unauthorised access. There are many different tools that can help secure personal data, including a data protection policy (required by law) and an information security policy, which will help organisations demonstrate compliance with data protection regulations.

Common Misconceptions About Personal and Sensitive Data

Not all data that feels private is legally classified as special category personal data—only specific categories listed under the UK GDPR are included.

Publicly available information, such as a phone number listed on a company website, is still considered personal data and must be handled accordingly. Business contact details (e.g. work email or job title) are not exempt from UK GDPR if they relate to an identifiable individual and require an appropriate lawful basis to process.

Anonymised data is not personal data.  However, if the data is not entirely anonymous and individuals can be re-identified through additional information, it remains subject to GDPR. This includes any data that may have been pseudonymised.  Consent is only one of the lawful bases that can be used to process personal data; other lawful bases such as legitimate interests or legal obligation may apply.

Recognising the many nuances that are context dependent are critical for handling data appropriately and remaining compliant with data protection regulations. Misconceptions about personal data and misunderstandings about the legal requirements of data protection laws can lead to non-compliance and potential penalties.

The Role of Data Protection Impact Assessments (DPIAs)

Conducting a Data Protection Impact Assessment (DPIA) is a necessary requirement when processing large-scale special category personal data to identify and mitigate potential risks. A DPIA must outline the processing activities, risk assessments, and measures to mitigate identified risks. DPIAs are proactive and this approach helps organisations address issues early, reducing costs and preventing reputational damage.

DPIAs are also mandatory where the processing activities will constitute the monitoring of a publicly accessible area on a large scale, or where there will be a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing. This includes profiling and evaluation on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person. The legislation also talks about conducting DPIAs where an organisation is going to use or implement new technologies where which is likely to result in a high risk to the rights and freedoms of data subjects.

Conducting DPIAs helps organisations safeguard sensitive information, protect data subjects’ rights, and ensure compliance with GDPR requirements including accountability, thereby building trust with stakeholders and customers.

Developing Internal Expertise for Proper Processing of Personal Data

Proper handling of personal data requires more than basic awareness—it demands ongoing training, clear policies, and operational confidence. Investing in staff expertise reduces compliance risks and strengthens trust with clients, regulators, and internal stakeholders. Organisations should establish clear internal roles and responsibilities for data protection, supported by role-appropriate training and guidance which is based on risks associated with the data and with processing activities.

Partnering with specialist providers, such as Tkm & Associates, can help build internal capability through tailored training, consultancy, and practical software tools aligned with the UK GDPR, enabling organisations to ensure that staff are well-equipped to handle personal data appropriately and in compliance with data protection law.

Effective data protection and compliance require developing internal expertise. Investing in training and partnering with experts helps organisations enhance data protection practices and meet regulatory requirements.