This is your go-to reference for defining sensitive data, examples, and GDPR personal data, including identifying, classifying, and protecting sensitive data.
- Sensitive Data provides information about a particular group of personal data on an individual, such as religion, political opinions, sexual orientation, and biometric and genetic data.
- The General Data Protection Regulation (GDPR) defines personal data as information that could directly or indirectly reveal a person’s identity.
While carrying out GDPR pen tests and security assessments, we have often found sensitive data lying around without a good deal of access control measures. It includes credentials to third-party vendor sites, personal email account information, passports, credit cards and many more items containing sensitive data.
With a fast-moving world, it is now easy to access information relating to an individual from the north pole to the south pole.
Have you ever wondered how your personal information is protected or even handled?
What is sensitive data?
Sensitive data means confidential information that must be stored safely and out of reach by unauthorised users.
Sensitive data includes private information that needs to be protected from third-party access. Sensitive data can be physical data, such as personal information on papers and documents, and digital data, which includes personal information fed online. These can consist of digital or physical documents such as videos, audio recordings, or even photographs.
General Data Protection Regulation (GDPR) lays out two broad categories of data.
- The first one includes customers’ personal data, including their name, postal address, contact, or even IP address. Organisations storing and using this information should comply with the GDPR.
- The second category includes sensitive data, which provides a particular group of personal data on an individual’s information such as religion, political opinions, sexual orientation, biometrics and genetic data. Data protection in the UK refers to 8 principles defined by the Data Protection Act.
Which term is used to refer to personal sensitive data?
PII, also known as Personally Identifiable Information, is any piece of information that can be used to identify an individual. For instance, date of birth or national insurance (social security number) is a piece of information that can be related to an identified or identifiable natural person.
GDPR’s definition of personal data is somewhat similar to the traditional definition. It defines sensitive data as a sample containing information that recognises a person directly or counterfeit information that does not identify personal identification but can still be utilised to detect individual behaviour patterns.
Examples of sensitive data
- Biometric data- facial features and recognition, voice recognition, fingerprints, iris scanning, palm recognition, retina and ear shape recognition.
- Health data – information relating to medical history, data on disability, medical diagnosis, opinions, and fitness apps.
- Genetic data- DNA and RNA analysis, chromosomal information.
- Individual data- ethnicity, race, religion, culture, background, political views, sexual orientation.
- Financial data includes bank information, credit card details, security codes, and pins.
- Classified data- this includes any information that is classified.
- Business or work information includes financial accounts and statements, Intellectual Property (IP), employee information and trade secrets.
Popular FAQ’s on personal data.
What are 3 examples of personal data?
Credit card, account number, telephone or customer address are all examples of personal data.
Is a work email address personal data?
Yes, you can relate a workplace’s name and email address to an individual person; therefore, it is personal data.
Are business email addresses personal data under GDPR?
Yes, you can relate a name and a corporate email address to an individual.
Is the home address personal data under GDPR?
Yes. Your home address can be used to identify you as a person. Therefore, it is personal data.
Is the date of birth personal data under gdpr?
Yes. It is non-sensitive personal data because it can be used to relate to an individual.
Is information about the deceased individual personal data?
No. The UK GDPR applies to personal data related to living individuals.
What are non-personal data?
Any data that does not relate to individual information directly or indirectly.
Any data that can’t identify you is non-personal data.
Examples of non-personal data:
- Information about a company
- Public authorities
- Deceased individual’s personal data
- Statistics about people, weather or anything that does not identify an individual
and so on…
GDPR personal data definition
According to the GDPR, personal data is any information associated with a naturally identified or identifiable person. Any of the following items of data can be considered personal data under certain circumstances:
- Identifier’s Name
- Identification Number
- Location data
- Contact information such as a home address, email address
- IP address
- Advertising ID
or other factors relating to the natural person’s identity, such as physiology, genetics, physical, mental, socio-economic, and cultural factors. It can also be related to data assigned in any way to an individual, such as credit card or bank contact details.
Personal data is restricted to the name, surname, and online information associated with the identifier’s login details, devices, applications used, protocols, tools, internet services, and cookie identifiers.
For Data Protection Act (DPA) purposes, there are several steps to identify if the data is personal data:
- Identifiability – Is it possible to identify an individual from the data in possession of the data controller?
- ‘relates to’ – Does the data ‘relates to the identifiable living individual?
- Data’ is obviously about an individual
- Data ‘linked to’ an individual
- The purpose of processing personal data
- Biographical significance of the individual
- Does the information concentrate on the individual?
- Data impact or have the potential to impact an individual
This example is taken from the official source. A data controller has information about an individual without their name but can still be identified because other data points are considered personal data.
Personal vs sensitive data
Multiple factors make it easy to identify the difference between ordinary personal data and sensitive data. Sensitive personal data is a set of ‘special category data’. GDPR defines special category data related to any of the following:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data used for identification purposes
- Data regarding health, sex life and sexual orientation
The above list includes all types of personal data as defined under GDPR. Any data regarding criminal allegations, convictions or proceedings is handled differently under separate rules. One primary rule related to special category data is all processing should be fair, lawful and transparent while complying with GDPR requirements.
GDPR Sensitive data examples
To enable you to view personal and sensitive data, including sensitive personal data under GDPR with examples – Let us understand the subtle difference between private and sensitive data examples below.
Say, [email protected], 1092348292 is the information given by person Y while filling out an online application form. Here, the email address, contact information, and browser information are fed in by person Y. Apart from this, online information, login details, application, device tools, and IP address will also be available to the operator. This information is included under Personal Data. Organisations collect this data, store multiple parts of the information, and later assemble this piece of information to identify a data subject.
Is an email address considered personal data?
On the other hand, personal data will focus on personal information related to person Y, such as ethnic and racial origin, political, religious, and philosophical opinions, and genetic and Biometric data.
Before recognising sensitive Data, one needs to ponder on the classification of this data, which is mandatory for appropriate, sharp data handling.
Before measuring data sensitivity, the three principles of information security must be kept in mind, i.e., how Confidentiality, Integrity and Availability (CIA) would be impacted if certain data items were exposed. Data sensitivity means any information that should be protected from unauthorised access or disclosures due to its sensitive nature.
Here, five steps to classify data are explained, which will further help you identify sensitive data.
- Have a clear understanding of all the information an organisation seeks from you. Recognise the contractual privacy and requirements for confidentiality.
- Understand if the information will be available to the public or be confined. Sensitive data is usually not open for public disclosure.
- Track the flow of data as it will provide insight into data needed for protection and the ways to protect it.
- Identify where the data is stored. Understanding how sensitive information is utilised, stored, and handled is essential.
- Knowing your data location will make it easy to identify whether an organisation is looking into personal or sensitive data.
Let’s now know more about sensitive data and its exposure.
What is sensitive data exposure?
Whenever an organisation or company reveals an individual’s sensitive data, it can cause data exposure. It can occur due to the inadequate protection of the database that stores the information. Weak or loss of encryption, software errors, or employee mistakes can be reasons for data exposure. Healthcare and medical information, bank data such as account details, financial status, passwords or pin codes, home or work address, and contacts can be left exposed.
It is different from a data breach, as in data breaching and all communication is revealed or accessed by the company, organisation, or a third party without consent or authorisation. In data breaching, personally identifiable data such as name, contact details, bank account number and statements, and ATM pin are used by hackers to misuse data and gain some money. Here, data is targeted to rob or steal, damage or modify. On the other hand, in Data exposure, information is revealed for anyone to access without intentional harm.
Businesses should assess themselves using sensitive data exposure testing exercises at various levels. OWASP defines sensitive data exposure as one of the top 10 critical risks. Assess your risk using annual independent penetration testing work for infrastructure or organisation-wide data protection of sensitive data.
How does one identify and classify sensitive data?
Follow these steps:
- Discover- identify the location where your sensitive data is stored—the first step in complying with many regulations, including risk assessments, signups, and data disposal.
- Data reduction- make sure to reveal your sensitive information whenever necessary. Also, understand how the operators will collect, store, utilise, and handle it.
- Defence- protect your data by regularly reviewing it. If you own a company and handle the sensitive data of your customers or clients, remember to keep track of all the third-party handlers and their protocols to secure sensitive data.
- Defining- Read about all the policies that talk about or explain data to be protected.
How to protect sensitive data?
Here are some steps to help yourself protect yourself during a sensitive data exposure incident
- Use complex passwords
With everything digital, it is perhaps challenging to keep a note of all the passwords in mind. We highly recommend making use of the following features:
- The use of password manager software has multiple benefits. You don’t need to remember a password. A password manager will generate different passwords for different accounts and can cause much more complex passwords.
- Passwordless sign is offered by Yubico, Ping Identity, AuthN, and Microsoft for most of its services.
- Where the above options aren’t available, you should try using passphrase-based passwords. No better instance to add the following’ password strength’ webcomic
The above actions would keep your accounts safe from credential hacking, password reuse attacks, password spraying and other attacks based on shared password strings or hashes.
Also, avoid using your name, contact number, or details relating to you, which can be too obvious to be part of the password book. You could note it down somewhere, only where you could access it and decode it.
- Are bank details sensitive data?
Yes. Keep in mind that personal data is any information that can be related to the identification or used to identify a person. In this case, bank account number, credit card number, and contact information such as an address and telephone number are all personal data.
- Make sure to keep a note of all your account details and transactions. In recent times, hackers have tried to call you over the phone, disguise themselves as bank managers, and lure you into revealing your bank details. Remember, no bank employees converse regarding money over the phone. Avoid answering calls or replying to texts that sound suspicious or related to your bank. Contact your bank manager whenever you come across such a situation. Also, report to the bank and the police if you have lost your credit card or any bank-related information.
- Be wise about the URLs
Before visiting any website, make sure it is a well-known reputable site. Don’t be in haste and click pop-ups or agree to all the cookies or permissions that pop on the screen.
- Anti-virus protection for your rescue
While working digitally, we tend to make online transactions too. Sometimes, the same device is used for institutional or company-related purposes. You might need to download software, programs, and other inputs. Therefore, having your system protected with a reputed anti-virus solution is essential.
Learn these 4 D’s, which are easy-to-go tips on securing your sensitive data and never worrying about any breach.
How Cyphere can help you protect your most sensitive data
Monitoring credential leakages, information on your employees, processes or technology assets can be found online through various channels. This information is helpful for hackers to prepare an attack layout that helps shape the attack infrastructure setup needed to bypass controls. Through exercises such as Red Teaming, Penetration Testing, Phishing and OSINT (Open-Source Information Gathering Intelligence), organisations can assess their exposures differently based on where high-risk vulnerabilities are located in their organisation.
Gain a comprehensive view of how your information security and data privacy practices apply at the ground, much more than just documents or policy files, with our GDPR-specific exercises such as GDPR Penetration Testing and Data Privacy Services.
Get in touch to discuss your primary security concerns with our security experts.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.