How to improve data security across a remote workforce: a lesson in security training
Although the General Data Protection Regulation (GDPR) has been in place since 2018, there are still myths and misconceptions on what the GDPR actually means for businesses and individuals alike. For example, there is often some confusion relating to what is protected under the GDPR: is it all the information that’s considered private, or something else?
To give you a better understanding of what type of information must be protected under the GDPR, this post will break down the differences between personal data and privacy-sensitive information. What are their similarities and differences with respect to data protection regulations?
The GDPR is about protecting personal data - what type of data is this?
According to the Information Commissioner’s Office in the UK (ICO), under the GDPR (including UK GDPR), personal data only includes information relating to natural persons who:
1- can be identified or who are identifiable, directly from the information in question; or
2- who can be indirectly identified from that information in combination with other information.
This means that the information is directly about a person, or can be traced back to this person. Think of a person’s name, (email) address, telephone number, passport photo or fingerprints. It must be information of a natural person, so information about deceased persons or organisations does not count as personal data.
There are special types of personal data as well. This pertains to particularly sensitive data, and processing them can seriously affect someone’s privacy. Special types of data are further protected by law. Examples of this include information regarding someone’s health, race, religion, criminal record, sexual orientation or membership of a trade union. The National Identification Number (social security number) is also considered special personal data, since it is a unique number that can be traced back to an individual person.
What type of data is considered privacy-sensitive under the GDPR?
But what is privacy-sensitive data? Privacy-sensitive data can be personal data, but there are many more types of information that are considered privacy-sensitive. For example, information on organisations. This information is not about an identifiable natural person, but it is still valuable information, and you do not want to necessarily share it with the whole world. After all, privacy is about ‘deciding yourself who will get which information about you’. And what about sales records or take-over plans: when they fall into the wrong hands, this can be incredibly damaging to a company. Even something as simple as a confirmation of a hospital appointment should always remain private. So it’s important to be very careful when handling both personal data and privacy-sensitive data.
Privacy and the GDPR - it’s all about data protection awareness
The GDPR only deals with personal data. Since the GDPR came into effect, organisations must comply and be able to demonstrably show that proper security measures are in place to protect this information and maintain control of it at all times. However, this does not mean that organisations should solely focus on the protection of personal data.
At the heart of the GDPR is the overarching need to raise awareness concerning the handling of sensitive data. A lot of information that is not actually categorised as personal data, should not fall into someone else’s hands either, and therefore must also be handled with care. That’s why it’s crucial that your organisation’s employees have a solid understanding of privacy-awareness.
Do your employees know the difference between personal data and privacy-sensitive data, and could they recognise such data? Do they know how to best protect this type of information?
Our free e-book provides helpful tips on how to help your employees become more aware of safe data processing. This will enable them to be strong assets to your organisation’s data protection efforts instead of potential risks.