Short answer: Sensitive data falls into two main categories: business data and personal data. Business data includes things like contracts, budgets, and legal documents, while personal data can be divided into PII (personally identifiable information) and special category personal data. Both types require protection under the GDPR.
What is sensitive data?
Sensitive data is any type of information that requires protection due to its private or confidential nature. It is sensitive because making it public could harm an organisation or a person. Naturally, the specific types of data that are considered sensitive can vary depending on your industry and your local legal requirements. In this article, we’ll talk about sensitive data that falls into two categories:
- Personal data
- Business data
Of course, these are two very broad categories, so let’s get into what they may include. Then, we’ll discuss how you can map and track all of that data to make sure it stays private.
What personal data do we have?
In addition to your sensitive business data, you probably also store a lot of sensitive personal data. It can be information about your employees, customers, contacts, etc. Some of the personal data you store is PII, while some falls under the category of sensitive personal information.
PII includes information such as:
- Name
- Address
- Date of birth
- Place of birth
- Mother’s maiden name
Sensitive personal data includes:
- Race and ethnicity
- Religion
- Political opinions
- Biometric data
- Genetic data
- Sexual orientation
- Health
- Trade union relations
Both people’s PII and their sensitive personal information or special category data is protected by privacy regulations.
Studies show that almost 50% of UK companies have experienced a cyber attack
- www.gov.uk
What business data do we have?
Business data is all the information that supports your company and its operations. Indeed, most of this information should be kept confidential. Why? Because the valuable data you’ve accumulated over the years in the course of business can give you a competitive advantage in your field. And in some cases, you may also be legally obliged to keep business data private. Here are some examples of business data you should keep track of and protect:
- Financial information
- Business plans
- Marketing and sales data
- Supply chain information
- Research and development (R&D) data
- Manufacturing Processes
- Partnership or collaboration agreements
- IT Infrastructure and Security Data
- Internal Communications
- Trade Secrets
- Legal data
Just as it can harm an individual if the wrong person gains access to their personal data, your business can be equally at risk if others access your corporate data. Make sure you keep track of and protect your business-critical information.
Need help managing personal data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
How to protect sensitive data
Taking all these items into account, there is a good chance that you store loads of business and personal data that is sensitive. Certainly, tracking all of it is a big job to tackle. But it’s crucial to do so. First of all, because it is in your company’s own best interest. Keeping a close eye on sensitive business and personal data helps you keep your competitive advantage and your customers’ trust. Equally important is protecting your customers, partners, and employees’ privacy. Even more than avoiding fines, the small and medium business owners we deal with care about people’s privacy. Above all, they want to be certain they never leak or expose confidential data in a way that could harm them. Read more about manage sensitive data here.
FAQ about sensitive data
1. Is a national ID number considered sensitive information?
No, a national ID number (such as the Danish CPR number) is not classified as sensitive personal data under the GDPR. However, it is still considered confidential and must be protected according to national legislation.
2. What’s the difference between regular and sensitive data?
Regular personal data can identify someone—like name or address—while sensitive data reveals more private aspects such as health, beliefs, or sexual orientation. Sensitive data is subject to stricter processing rules under GDPR.
3. Do you always need consent to process sensitive data?
Not always. Explicit consent is one lawful basis, but there are others, such as legal obligations or protecting vital interests, depending on the context.
Stop the GDPR monster before it gets its hold of your personal data
How to find your sensitive data
How can you locate your sensitive data? In practice, most organisations don’t have the time to go through all their files manually. It’s time-consuming, inaccurate, and makes it difficult to uncover the critical information that may pose a risk to the business.
At Safe Online, we offer a GDPR Risk Assessment that quickly gives you an overview of where sensitive personal data is stored within your systems. The assessment identifies data across files, emails and documents, and highlights where your biggest risks are.
Learn more
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
