Skip to main content

Whats the difference between personal data and sensitive personal data?

Personal data refers to any information that can be used to identify a specific individual. This can include, but is not limited to, names, addresses, phone numbers, email addresses, and demographic information.

Sensitive personal data, on the other hand, is a subset of personal data that is considered to be more sensitive and, if disclosed, could cause greater harm or damage to an individual’s privacy and security. Sensitive personal data includes information such as health records, financial information, biometric data, and information about an individual’s race, religion, sexual orientation, or political opinions.

In general, the handling and protection of sensitive personal data is subject to more stringent regulations and security measures compared to non-sensitive personal data.

Personally Identifiable Information (PII)

PII (Personally Identifiable Information) and personal information are similar but not exactly the same. PII refers to information that can be used to identify a specific individual. This can include, but is not limited to, a full name, social security number, driver’s license number, passport number, financial account information, and home address.

Personal information is a broader term that can encompass PII, but also includes other information about an individual, such as their age, gender, education level, employment information, and personal interests.

In general, PII is considered to be a subset of personal information and is subject to more stringent regulations and security measures to protect the privacy of individuals.

Sensitive personal data

Sensitive personal data is a more specific set of categories that must be handled with greater care, as its exposure could cause a person considerable financial or personal harm.  

Examples of sensitive information are a person’s financial and health information, race or ethnic background, political opinions, religious or philosophical beliefs, membership of a trade union, sex life or sexual orientation, genetic data and biometric data.   

Sensitive business data

We should also mention sensitive business data. Although the regulations that protect it may be different ones, this type of data should be carefully protected as well. Sensitive business information might include intellectual property, trade secrets, plans for a merger, or any other data that would negatively affect the business if it fell into a competitor’s hands. 

How might others access someone's sensitive personal data?

There are several ways that sensitive personal data can be accessed by others.

Processing mistakes

Data breaches can be simple and unintentional. For example, one of your employees might leave sensitive files unlocked, their laptop open, lose it or leak their passwords. They may send sensitive data in an unprotected email/message or send it to the wrong person.

But human error and system glitches are not the only culprits. Sensitive data is also a favorite target of cyberattackers.


Take phishing, a social engineering attack used to steal user data that is becoming more and more common.

The attacker masquerades as a trusted entity. The goal is to dupe a victim (that might be you or one of your employees) into opening an email, instant message, or text message. The fraudulent message could trick you into revealing sensitive company information. It can also automatically deploy malicious software on your systems (like ransomware). 

Ransomware attacks lock up your programs or data files, causing a costly interruption to your business. Data theft, on the other hand, exposes you and all the personal data you store to theft or publication.  

Once they’ve gained access to sensitive data like bank account or credit card numbers, personal health information, Social Security numbers, etc., cyber-criminals can do a world of damage to you and your customers. They can easily open up a line of credit in someone else’s name, empty bank or stock trading accounts, and more. 

Thief stealing data

Get ShareSimple FREE for one user today!

What happens if sensitive data is breached?

The consequences of a data breach of sensitive information for companies will also vary, and can be relatively minor to catastrophic, depending on the amount of data leaked, its sensitivity, and your company’s level of negligence.  

In some cases, companies had to pay tens of millions of dollars in damage compensation to customers and financial institutions. Small and medium businesses are the most vulnerable. Smaller organizations have higher costs relative to their size than larger organizations. This makes it very difficult to recover financially from a data breach. 

Besides substantial financial penalties, companies found in breach will have to spend money on responding to and recovering from it. They will also suffer a damaged reputation among stakeholders and customers. Customer turnover, business disruption, and system downtime will add to the heavy costs of a data breach. 

Organizations today have around a 30% chance of experiencing a data breach within two years. 

It is impossible to guarantee this will not happen to your company, but there is much you can do to prevent it and at the same time demonstrate ‘good faith’ when handling others’ personal data, minimizing potential liability.  

Put systems and processes in place to track and protect sensitive data, and to document those processes. Show authorities and others that your company does everything required to ensure the security of people’s sensitive data. This may reduce your company’s culpability in case of a data breach.  

Do this to protect your data

A tool for data discovery can help you organize your files and protect the sensitive personal data you have stored. It can help you with the following:

Find out where all your data is stored 

Classify data by its sensitivity/risk level, type and format 

Choose and implement effective and compliant security controls  

Create accurate Data Privacy Impact Assessments 

Report personal data breaches and security incidents on time 

Continuously monitor your risk level and assess the impact of your data processing activities 

Keep documentation and create audit reports to comply with other legal requirements 

We have developed DataMapper to easily find, map and continuously monitor sensitive data.

Learn more → 

Sebastian Allerelli

Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →