Skip to main content

What is sensitive personal data?

Personal data vs. sensitive personal data

The GDPR, CCPA, PIPL, CPRA, and other privacy regulations draw a clear distinction between personal data vs. sensitive personal data.

How can you identify and protect the personal and sensitive data your company stores?

Personally Identifiable Information (PII)

Personal Identifiable Information (PII) has quite a broad definition and usually refers to information that alone or in combination with other information would allow someone to identify a person with reasonable certainty; and includes things like your name, date of birth, or email. 

Sensitive personal data

Sensitive personal data is a more specific set of categories that must be handled with greater care, as its exposure could cause a person considerable financial or personal harm.  

Examples of sensitive information are a person’s financial and health information, race or ethnic background, political opinions, religious or philosophical beliefs, membership of a trade union, sex life or sexual orientation, genetic data and biometric data.   

Sensitive business data

We should also mention sensitive business data. Although the regulations that protect it may be different ones, this type of data should be carefully protected as well. Sensitive business information might include intellectual property, trade secrets, plans for a merger, or any other data that would negatively affect the business if it fell into a competitor’s hands. 

How much sensitive data do you store?

If you are not sure whether you have this type of data in your systems, where it is, or how much of it you store, use DataMapper to quickly find and track sensitive data across all your company’s storage locations.  

Why is it important to keep track of all the sensitive personal data you store?

Search files

How might others access someone's sensitive personal data?

Processing mistakes

Data breaches can be simple and unintentional. For example, one of your employees might leave sensitive files unlocked, their laptop open, lose it or leak their passwords. They may send sensitive data in an unprotected email/message or send it to the wrong person. But human error and system glitches are not the only culprits. Sensitive data is also a favorite target of cyberattackers.


Take phishing, a social engineering attack used to steal user data that is becoming more and more common. The attacker, masquerading as a trusted entity, dupes a victim (that might be you or one of your employees) into opening an email, instant message, or text message. The fraudulent message could trick you into revealing sensitive company information or it may automatically deploy malicious software on your systems (like ransomware). 

Ransomware attacks lock up your programs or data files, causing a costly interruption to your business, while data theft exposes you and all the personal data you store to the attacker.  

Once they’ve gained access to sensitive data like bank account or credit card numbers, personal health information, Social Security numbers, etc., cyber-criminals can do a world of damage to you and your customers. They can easily open up a line of credit in someone else’s name, empty bank or stock trading accounts, and more. 

Thief stealing data

What happens if sensitive data is breached?

The consequences of a data breach of sensitive information for companies will also vary, and can be relatively minor to catastrophic, depending on the amount of data leaked, its sensitivity, and your company’s level of negligence.  

In some cases, companies have been required to pay tens of millions of dollars in damage compensation to customers and financial institutions. Small and medium businesses are the most vulnerable. Since smaller organizations have higher costs relative to their size than larger organizations,  their ability to recover financially from a data breach. 

Besides substantial financial penalties, companies found in breach will have to spend money on responding to and recovering from it, as well as suffer a damaged reputation among stakeholders and customers. Customer turnover, business disruption, and system downtime will add to the heavy costs of a data breach. 

Organizations today have around a 30% chance of experiencing a data breach within two years. 

It is impossible to guarantee this will not happen to your company, but there is much you can do to prevent it and at the same time demonstrate ‘good faith’ when handling others’ personal data, minimizing potential liability.  

Having systems and processes in place to track and protect sensitive data (and documenting those processes) can show authorities and others that your company did everything required to ensure the security of people’s sensitive data and may reduce your company’s culpability in case of a data breach.  

How can mapping your sensitive data help?

Find out where all your data is stored 

Classify data by its sensitivity/risk level, type and format 

Choose and implement effective and compliant security controls  

Create accurate Data Privacy Impact Assessments 

Report personal data breaches and security incidents on time 

Continuously monitor your risk level and assess the impact of your data processing activities 

Keep documentation and create audit reports to comply with other legal requirements 

Would you like to learn more about how to use DataMapper to easily discover, map and continuously monitor all your team’s sensitive data? Learn more → 

Sebastian Allerelli

Governance, risk, and compliance specialist

Phone | Email | LinkedIn