Skip to main content

Personal data vs. sensitive personal data

The GDPR, CCPA, PIPL, CPRA, and other privacy regulations draw a clear distinction between personal data vs. sensitive personal data. How can you identify and protect the personal and sensitive data your company stores?

Personally Identifiable Information (PII)

Personal Identifiable Information (PII) has quite a broad definition and usually refers to information that alone or in combination with other information would allow someone to identify a person with reasonable certainty; and includes things like your name, date of birth, or email. 

Sensitive personal data

Sensitive personal data is a more specific set of categories that must be handled with greater care, as its exposure could cause a person considerable financial or personal harm.  

Examples of sensitive information are a person’s financial and health information, race or ethnic background, political opinions, religious or philosophical beliefs, membership of a trade union, sex life or sexual orientation, genetic data and biometric data.   

Sensitive business data

We should also mention sensitive business data. Although the regulations that protect it may be different ones, this type of data should be carefully protected as well. Sensitive business information might include intellectual property, trade secrets, plans for a merger, or any other data that would negatively affect the business if it fell into a competitor’s hands. 

How much sensitive data do you store?

If you are not sure whether you have this type of data in your systems, where it is, or how much of it you store, you should find out now.

Search files

How might others access someone's sensitive personal data?

Processing mistakes

Data breaches can be simple and unintentional. For example, one of your employees might leave sensitive files unlocked, their laptop open, lose it or leak their passwords. They may send sensitive data in an unprotected email/message or send it to the wrong person.

But human error and system glitches are not the only culprits. Sensitive data is also a favorite target of cyberattackers.

Want more free data privacy tips?

Get the latest data privacy management news, trends and expert tips delivered straight to your inbox.


    Take phishing, a social engineering attack used to steal user data that is becoming more and more common.

    The attacker masquerades as a trusted entity. The goal is to dupe a victim (that might be you or one of your employees) into opening an email, instant message, or text message. The fraudulent message could trick you into revealing sensitive company information. It can also automatically deploy malicious software on your systems (like ransomware). 

    Ransomware attacks lock up your programs or data files, causing a costly interruption to your business. Data theft, on the other hand, exposes you and all the personal data you store to theft or publication.  

    Once they’ve gained access to sensitive data like bank account or credit card numbers, personal health information, Social Security numbers, etc., cyber-criminals can do a world of damage to you and your customers. They can easily open up a line of credit in someone else’s name, empty bank or stock trading accounts, and more. 

    Thief stealing data

    What happens if sensitive data is breached?

    The consequences of a data breach of sensitive information for companies will also vary, and can be relatively minor to catastrophic, depending on the amount of data leaked, its sensitivity, and your company’s level of negligence.  

    In some cases, companies had to pay tens of millions of dollars in damage compensation to customers and financial institutions. Small and medium businesses are the most vulnerable. Smaller organizations have higher costs relative to their size than larger organizations. This makes it very difficult to recover financially from a data breach. 

    Besides substantial financial penalties, companies found in breach will have to spend money on responding to and recovering from it. They will also suffer a damaged reputation among stakeholders and customers. Customer turnover, business disruption, and system downtime will add to the heavy costs of a data breach. 

    Organizations today have around a 30% chance of experiencing a data breach within two years. 

    It is impossible to guarantee this will not happen to your company, but there is much you can do to prevent it and at the same time demonstrate ‘good faith’ when handling others’ personal data, minimizing potential liability.  

    Put systems and processes in place to track and protect sensitive data, and to document those processes. Show authorities and others that your company does everything required to ensure the security of people’s sensitive data. This may reduce your company’s culpability in case of a data breach.  

    Do this to protect your data

    A tool for data discovery can help you organize your files and protect the sensitive personal data you have stored. It can help you with the following:

    Find out where all your data is stored 

    Classify data by its sensitivity/risk level, type and format 

    Choose and implement effective and compliant security controls  

    Create accurate Data Privacy Impact Assessments 

    Report personal data breaches and security incidents on time 

    Continuously monitor your risk level and assess the impact of your data processing activities 

    Keep documentation and create audit reports to comply with other legal requirements 

    We have developed DataMapper to easily find, map and continuously monitor sensitive data.

    Learn more → 

    Sebastian Allerelli

    Governance, risk, and compliance specialist