The GDPR: Sensitive personal data, differences, examples and data protection

Share on facebook
Share on twitter
Share on linkedin
Share on email
sensitive data examples

Stay up to date

Stay up to date with the latest threat reports, articles & mistakes to avoid.

Simple, yet important content.
No salesy pitches and all that, promise!

This is your go-to reference for defining sensitive data, examples, and GDPR personal data, including identifying, classifying, and protecting sensitive data.


  • Sensitive Data provides information about a particular group of personal data on an individual’s information such as religion, political opinions, sexual orientation, biometric and genetic data.
  • The General Data Protection Regulation (GDPR) defines personal data as information that could directly or indirectly reveal a person’s identity.

While carrying out GDPR pen tests and security assessments we have often found sensitive data lying around without good deal of access control measures. It includes credentials to third-party vendor sites, personal email account information, passports, credit cards and many more items containing sensitive data. 

It is now easy to access information relating to an individual from the north pole to the south pole with a fast-moving world.

Have you ever wondered how your personal information is protected or even handled?

What is sensitive data?

General Data Protection Regulation (GDPR) lays out two broad categories of data. The first one includes customer’s personal data, including their name, postal address, contact, or even IP address. Organisations storing and using this information should comply with the GDPR. The second category includes sensitive data, which provides a particular group of personal data on an individual’s information such as religion, political opinions, sexual orientation, biometric and genetic data.

GDPR’s definition of personal data is somewhat similar to the regular definition. It defines sensitive data as a sample of data containing information that recognises a person directly or counterfeit information that does not identify personal identification but can still be utilised to detect individual behaviour patterns.

Examples of sensitive data  

If hackers were to gain access to a business’ systems and applications, it is most likely to exfiltrate the following information to achieve their objectives (corporate espionage, nation-state, competitor gains, theft or others). If you ever wondered ‘what is an example of sensitive data?’, the following examples explain the different categories and sensitive personal information examples;

  1. Biometric data- facial features and recognition, voice recognition, fingerprints, iris scanning, palm recognition, retina and ear shape recognition.
  2. Health data – information relating to medical history, data on disability, medical diagnosis, opinions, fitness apps.
  3. Genetic data- DNA and RNA analysis, chromosomal information.
  4. Individual data- ethnic, race, religion, culture, background, political views, sexual orientation.
  5. Financial data- bank information, credit card details, and security codes and pins.
  6. Classified data- this included any data that is classified.
  7. Business or work information- financial accounts and statements, Intellectual Property (IP), employees information and trade secrets.

examples of sensitive data

GDPR personal data definition

According to the GDPR, personal data is any information associated with a naturally identified or identifiable person. Any of the following items of data can be considered personal data under certain circumstances:

  • Identifier’s Name
  • Identification Number
  • Location data
  • Contact information such as a home address, email address
  • IP address
  • Advertising ID

or other factors relating to the natural person’s identity such as physiology, genetics, physical, mental, socio-economic, and cultural factors. It can also be related to data assigned in any way to an individual, such as credit card or bank contact details.

Personal data is restricted to the name and surname and online information associated with the identifier’s login details, devices, applications used, protocols, tools, internet services, and cookie identifiers.

For Data Protection Act (DPA) purposes, there are several steps to identify if the data is personal data:

  • Identifiability – Is it possible to identify an individual from the data in possession of the data controller?
  • ‘relates to’ – Does the data ‘relates to the identifiable living individual?
  • Data ‘obviously about’ an individual
  • Data ‘linked to’ an individual
  • The purpose of processing
  • Biographical significance about the individual
  • Does the information concentrate on the individual?
  • Data impact or have the potential to impact an individual

This example is taken from the official source. A data controller has information about an individual without its name but can still be identified because other data points are considered personal data.

How to identify Personal Data

Personal vs sensitive data

It is easy to identify the difference between personal and sensitive data based on multiple factors. Sensitive personal data is a set of ‘special category data’. GDPR defines special category data related to any of the following:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data used for identification purposes
  • Data regarding health, sex life and sexual orientation

Any data regarding criminal allegations, convictions or proceedings is handled differently under separate rules. One primary rule related to special category data is all processing should be fair, lawful and transparent while complying with GDPR requirements.

GDPR Sensitive personal data examples

To enable you with a view of personal data and sensitive data, including sensitive personal data under GDPR with examples  – Let us understand the subtle difference between personal data and sensitive data using the example given below.

Say,, 1092348292 is the information given by person Y while filling an online application form. Here, the email address, contact information, browser information is fed in by person Y. Apart from this, online information, login details, application, device tools, IP address will also be available to the operator. This information is included under Personal Data. Organisations collect this data, store multiple parts of the information, and later assemble this piece of information to identify a data subject.

On the other hand, personal data will focus on personal information related to person Y, such as ethnic and racial origin, political, religious, and philosophical opinions, genetic and Biometric data.

How does one identify and classify sensitive data?

Sensitive data includes private information that needs to be protected from third-party access. Sensitive data can be physical data such as personal information on papers and documents, digital data, which includes personal information fed online. These can also include digital or physical documents such as videos, audio recordings, or even photographs.

Before recognising sensitive Data, one needs to ponder on the classification of this data. This classification is mandatory for appropriate, sharp data handling.

Before measuring data sensitivity, the three principles of information security must be kept in mind, i.e., how Confidentiality, Integrity and Availability (CIA) would be impacted if certain data items were exposed.

Here, five steps to classify data are explained, which will further help you identify sensitive data.

  1. Have a clear understanding of all the information an organisation seeks from you. Recognise the contractual privacy and requirements for confidentiality.
  2. Understand if the information will be available to the public or be confined. Sensitive data is usually not open for public disclosure.
  3. Track the flow of data as it will provide insight into data needed for protection and the ways to protect it.
  4. Identify where the data is stored. It is essential to understand how sensitive information is utilised, stored, and handled.
  5. If you know your data location, it will be easy to identify whether an organisation is looking into personal or sensitive data.

Let’s now know more about sensitive data and its exposure.

What is sensitive data exposure?

Whenever an organisation or company reveals an individual’s sensitive data, it can cause data exposure. It can occur due to the inadequate protection of the database that stores the information. Weak or loss of encryption, software errors, or employee mistakes can be reasons for data exposure. Healthcare and medical information, bank data such as account details, financial status, passwords or pin codes, home or work address, and Contact are information that can be left exposed.

It is different from a data breach as in data breaching, and all communication is revealed or accessed by the company, organisation, or a third party without consent or authorisation. In data breaching, personally identifiable data such as name, contact details, bank account number and statements, and ATM pin are used by hackers to misuse data and gain some money. Here, data is targeted to rob or steal, damage or modify. On the other hand, in Data exposure, information is revealed for anyone to access without any intentional harm.

Businesses should assess themselves using sensitive data exposure testing exercises at various levels. OWASP defines sensitive data exposure as one of the top 10 critical risks. For infrastructure or organisation-wide data protection of sensitive data, assess your risk using annual independent penetration testing work. 

How to protect sensitive data?

Here are some steps to help yourself protect yourself during a sensitive data exposure incident

  • Use complex passwords

With everything digital, it is perhaps challenging to keep a note of all the passwords in mind. We highly recommend making use of the following features:

  • The use of password manager software has multiple benefits. You don’t need to remember a password. A password manager will generate different passwords for different accounts and can generate much more complex passwords.
  • Passwordless sign is offered by Yubico, Ping Identity, AuthN, Microsoft for most of its services.
  • Where the above options aren’t available, you should try to use passphrase based passwords. No better instance to add the following ‘password strength’ webcomic

The above actions would keep your accounts safe from credential hacking, password reuse attacks, password spraying and other attacks that work based on shared password string or hashes.

data protection strong passwords
The famous xkcd password strength explanation

Also, avoid using your name or contact number or details relating to you, which can be too obvious to be a part of the password book. You could note it down somewhere, only where you could access it and decode it.

  • Keep an eye on your bank status.
    Make sure to keep a note of all your account details and transactions. In recent times, hackers try to call you over a phone call, disguise themselves as bank managers, and lure you into revealing your bank details. Remember, no bank employees converse regarding money over the phone. Avoid answering calls or replying to texts that sound suspicious and are related to your bank. Contact your bank manager whenever you come across such a situation. Also, report to the bank and the police if you have lost your credit card or any bank related information.
  • Be wise on the URLs
    Before visiting any website, make sure it is a well-known reputable site. Don’t be in haste and click pop-ups or agree to all the cookies or permissions that pop on the screen.
  • Anti-virus protection to your rescue
    While working digitally, we tend to make online transactions too. In some cases, the same device is used for institutional or company-related purposes. You might need to download software, programs, and other inputs. Therefore, having your system protected with a reputed anti-virus solution is essential.

Learn these 4 D’s, which are easy to go tips on securing your sensitive data and never worry about any breach.

  1. Discover- identify the location where your sensitive data is stored—the first step in complying with many regulations that include risk assessments, signups, and data disposal.
  2. Data reduction- make sure to reveal your sensitive information whenever a necessity. Also, understand how it will be collected, stored, utilised, and handled by the operators.
  3. Defence- protect your data by regularly reviewing. If you own a company and handle sensitive data of your customers or clients, remember to keep track of all the third-party handlers and their protocols to secure sensitive data.
  4. Defining- make sure to read about all the policies that talk about or explain data to be protected.

Take home message

This article has run through Personal Data and Sensitive data features, how both the types differ, exposure, identification, and steps to secure sensitive data. We need to understand the subtle differences between personal data and sensitive data. Recognition is the first step towards identifying and classifying data. This knowledge enables us to secure ourselves whenever our data is exposed and take appropriate steps in conserving all the sensitive information to avoid being breached.

How Cyphere can help you protect your most sensitive data

Monitoring credential leakages, information on your employees, processes or technology assets can be found on the internet through various channels. This information is useful for hackers to prepare an attack layout that helps shape the attack infrastructure setup needed to bypass controls. Through exercises such as Red Teaming, Penetration Testing, Phishing and OSINT (Open-Source Information Gathering Intelligence), organisations can assess their exposures differently based on where high-risk vulnerabilities are located in their organisation.

Gain a comprehensive view of how your information security and data privacy practices apply at the ground, much more than just documents or policy files with our GDPR specific exercises such as GDPR Penetration Testing and Data Privacy Services.

Get in touch to discuss your primary security concerns with our security experts.