Protecting the Unprotectable: Navigating Sensitive Data under GDPR

Sensitive data is a crucial aspect of any business or organisation, and its handling and protection is a critical responsibility. However, with the advent of GDPR, the stakes have been raised for the handling of sensitive data. GDPR requires organisations to take additional steps to ensure the protection of sensitive data, which can include information related to health, race, ethnicity, religion, political opinions, and more. In this article, we will explore the concept of sensitive data under GDPR, the challenges involved in handling it, and best practices for protecting it.


Sensitive data refers to information that is particularly sensitive or private, and may cause significant harm or risk to an individual if disclosed or misused. Examples of sensitive data include but are not limited to medical records, financial information, genetic data, religious or philosophical beliefs, racial or ethnic origin, sexual orientation, and political opinions. As sensitive data can have significant implications for an individual’s privacy, protection of this type of data is critical. The General Data Protection Regulation (GDPR) sets out specific requirements for the processing and protection of sensitive personal data to ensure that individuals’ rights are protected. Therefore, it is important for organisations to understand how to identify and handle sensitive data to comply with the GDPR.

Types of Sensitive Data

Sensitive data can be classified as any personal information that requires heightened protection due to the potential for harm or discrimination if it is compromised. There are several types of sensitive data under GDPR:

  • Health and medical data: This includes any information related to an individual’s physical or mental health, such as medical diagnoses, treatments, test results, and medication information. It also covers information about an individual’s sexual health or history, as well as any genetic or biometric data that could be used to identify a specific individual.
  • Financial data: This includes any information related to an individual’s financial status or history, such as bank account numbers, credit card information, and income details. It also covers information about an individual’s financial transactions, such as purchases or investments, as well as any debt or bankruptcy information.
  • Biometric data: This includes any information related to an individual’s physical or behavioral characteristics that can be used to identify them, such as fingerprints, facial recognition data, or voice prints. It can also include data related to an individual’s gait, body movements, or other unique physical traits.
  • Racial or ethnic data: This includes any information related to an individual’s racial or ethnic background, such as their skin colour, language, or cultural heritage. It also covers any information related to an individual’s religious beliefs, such as their place of worship or religious practices.
  • Political opinions: This includes any information related to an individual’s political views or affiliations, as well as any activities or events related to political movements or campaigns. It can also include information about an individual’s voting history or political donations.

Under GDPR, organisations must take special care to protect sensitive data, as it is often more vulnerable to misuse or unauthorised access. This may involve implementing additional security measures, such as encryption or access controls, as well as obtaining explicit consent from individuals before processing their sensitive data. Organisations must also be transparent about how they are handling sensitive data, and must clearly communicate any potential risks or consequences of processing this type of information.

Legal Basis for Processing Sensitive Data

Under GDPR, sensitive data is given heightened protection due to its potential impact on an individual’s fundamental rights and freedoms. Article 9 of the GDPR defines sensitive data as data that relates to an individual’s race, ethnicity, political opinions, religion, trade union membership, genetic data, biometric data, health data, or sexual orientation.

Processing of sensitive data is prohibited under GDPR, except under certain circumstances. These circumstances include explicit consent from the data subject, processing necessary for reasons of substantial public interest, or processing necessary for the establishment, exercise, or defense of legal claims. Additionally, some member states may have specific laws in place that further regulate the processing of sensitive data.

If an organisation wishes to process sensitive data, they must have a legal basis for doing so, as well as a lawful basis for the processing itself. This may involve obtaining explicit consent from the data subject or relying on other legal grounds, such as fulfilling a legal obligation or protecting vital interests. In all cases, the organisation must ensure that the data subject is fully informed about the processing of their sensitive data and their rights regarding that data.

Handling Sensitive Data

Handling sensitive data requires a high level of protection to ensure compliance with GDPR. Organisations must ensure that they have a lawful basis for processing sensitive data, which may include explicit consent from the data subject, fulfilling legal obligations, or protecting vital interests of the data subject. In addition, organisations must take extra care when handling sensitive data, including implementing strong technical and organisational measures to protect the confidentiality, integrity, and availability of such data.

Encryption and pseudonymization are two methods that can be used to protect sensitive data. Encryption involves converting the data into an unreadable format that can only be accessed with a key or password, while pseudonymization involves replacing the identifying information with pseudonyms. These methods can help reduce the risks of unauthorized access or disclosure of sensitive data.

Data minimization is another important consideration when handling sensitive data. Organisations should only collect and process the minimum amount of data necessary for the intended purpose. This can help reduce the risks of data breaches and unauthorised access to sensitive data.

Finally, organisations must take steps to safeguard sensitive data, including implementing physical, technical, and organisational security measures. This may include access controls, firewalls, intrusion detection and prevention systems, regular security assessments and audits, and employee training and awareness programs. Organisations should also have an incident response plan in place in case of a data breach or other security incident involving sensitive data.

Challenges in Handling Sensitive Data

Handling sensitive data can be challenging for organisations due to various reasons, including:

  • Identifying and classifying sensitive data: Identifying sensitive data can be challenging as the definition of sensitive data varies from organisation to organisation, and GDPR does not provide a comprehensive list of sensitive data types. Hence, organisations need to define and classify their sensitive data based on the nature of their business and risk assessment.
  • Balancing the need for data protection with the need for data access: Organisations need to balance the need for data protection with the need for data access to ensure that their employees have the necessary data access to perform their job duties. At the same time, they need to ensure that sensitive data is not accessed by unauthorised persons.
  • Ensuring secure storage and transmission of sensitive data: Organisations need to implement appropriate technical and organisational measures to ensure the secure storage and transmission of sensitive data. This includes encryption, pseudonymization, data minimization, access controls, and other security measures. Organisations also need to ensure that third-party vendors who process their sensitive data comply with GDPR requirements.

Best Practices for Handling Sensitive Data

Best practices for handling sensitive data are critical to ensure compliance with GDPR and safeguard the privacy of individuals. Some of the best practices include:

  1. Implementing privacy by design principles: Privacy by design (PbD) is an approach to data protection that integrates data protection measures into the design and development of products and services. PbD principles can help to identify and mitigate privacy risks associated with handling sensitive data.
  2. Conducting regular risk assessments: Regular risk assessments can help organisations identify and manage privacy risks associated with handling sensitive data. Risk assessments can identify vulnerabilities in systems and processes that need to be addressed.
  3. Providing employee training and education: Employees should be trained on the proper handling of sensitive data, including how to identify and protect sensitive data, how to report potential breaches or incidents, and how to comply with GDPR requirements.
  4. Developing clear policies and procedures for handling sensitive data: Organisations should develop clear policies and procedures for handling sensitive data, including guidelines for data access, data storage, data retention, and data disposal. Policies and procedures should be regularly reviewed and updated to reflect changes in the regulatory environment and technological advances.

By implementing these best practices, organisations can effectively handle sensitive data while complying with GDPR requirements and protecting the privacy of individuals.

Case Studies of Successful Sensitive Data Handling

Case studies of successful handling of sensitive data can offer valuable insights for other organisations seeking to improve their data protection practices. Some examples of companies that have successfully handled sensitive data include:

  1. ProtonMail: ProtonMail is an email service that is specifically designed to protect user privacy. The company uses end-to-end encryption to ensure that messages can only be read by the sender and recipient. ProtonMail also stores all user data on servers in Switzerland, which has strong data protection laws.
  2. Apple: Apple is known for its strong commitment to user privacy. The company uses encryption to protect sensitive data on its devices, and it has implemented a number of measures to prevent unauthorized access to user data. For example, Apple requires users to authenticate themselves before accessing sensitive data such as health records or financial information.
  3. Slack: Slack is a collaboration tool that is widely used by businesses around the world. The company has implemented a number of security measures to protect sensitive data, including two-factor authentication and encryption. Slack also provides users with a range of tools to control their own data, such as the ability to delete messages and limit the retention of data.

In each of these cases, the companies have implemented a range of measures to protect sensitive data, from encryption and pseudonymization to data minimization and access controls. These measures are based on privacy by design principles, and they reflect a strong commitment to user privacy and data protection. Lessons that can be learned from these cases include the importance of building privacy and data protection into products and services from the outset, and the need for ongoing risk assessments and employee training.


In conclusion, handling sensitive data is a critical aspect of data protection under GDPR. The protection of sensitive data is crucial in ensuring privacy and data security for individuals. Organisations must take measures to identify, classify, and protect sensitive data, while also ensuring they have a lawful basis for processing it. Encryption, data minimization, and pseudonymization are just a few of the ways that organisations can protect sensitive data. By following best practices and implementing privacy by design principles, organisations can protect sensitive data, minimise risk, and build trust with their stakeholders.

23 thoughts on “Protecting the Unprotectable: Navigating Sensitive Data under GDPR”

  1. Pingback: Protecting Personal Data: A Comprehensive Guide to GDPR Compliance - GDPR Advisor

  2. Pingback: Securely Navigating the Cloud: GDPR Compliance for Cloud Data Storage - GDPR Advisor

  3. Pingback: Demystifying Data Privacy: Crafting Effective Privacy Notices Under GDPR - GDPR Advisor

  4. Pingback: GDPR Data Retention - GDPR Advisor

  5. Pingback: Personal Data Breaches and Data Controllers: Notification and Reporting Obligations - GDPR Advisor

  6. Pingback: Data Subject Rights and Data Controllers: Responding to Requests and Ensuring Compliance - GDPR Advisor

  7. Pingback: Protecting Personal Data with Pseudonymization under GDPR - GDPR Advisor

  8. Pingback: GDPR Compliance in the Healthcare Industry: Protecting Patient Data - GDPR Advisor

  9. Pingback: GDPR and Employee Data: Balancing Privacy Rights and HR Practices - GDPR Advisor

  10. Pingback: GDPR Compliance for Small and Medium-Sized Enterprises (SMEs): Practical Tips - GDPR Advisor

  11. Pingback: GDPR and Artificial Intelligence: Challenges and Ethical Considerations - GDPR Advisor

  12. Pingback: GDPR Compliance for Financial Institutions: Protecting Customer Data in the Banking Sector - GDPR Advisor

  13. Pingback: Understanding GDPR: How it Impacts Businesses Worldwide - GDPR Advisor

  14. Pingback: GDPR Compliance Checklist: Essential Steps for Organisations - GDPR Advisor

  15. Pingback: GDPR Compliance for Software Development: Integrating Privacy into the SDLC - GDPR Advisor

  16. Pingback: Data Breaches and GDPR: Lessons Learned and Best Practices - GDPR Advisor

  17. Pingback: GDPR and Cross-Functional Compliance: Collaboration between Legal, IT, and Security Teams - GDPR Advisor

  18. Pingback: GDPR Compliance and Employee Training: Educating Staff on Data Protection - GDPR Advisor

  19. Pingback: GDPR Compliance for Event Organisers: Safeguarding Attendee Data - GDPR Advisor

  20. Pingback: GDPR Compliance for Online Advertising: Ad Tech and Privacy Considerations - GDPR Advisor

  21. Pingback: GDPR Compliance for Educational Technology Providers: Privacy in EdTech Solutions - GDPR Advisor

  22. Pingback: GDPR Compliance for Online Market Research: Ethical Data Collection and Consent - GDPR Advisor

  23. Pingback: GDPR Compliance for Government Agencies: Balancing Transparency and Data Protection - GDPR Advisor

Leave a Comment

Your email address will not be published. Required fields are marked *