Understanding GDPR definitions: Special Category Data

GDPR compliance

Understanding the complexities within the General Data Protection Regulation (GDPR) is important, but it’s not always as simple as clicking “search” and hoping for the easiest result. Instead, the GDPR sets out to provide an extensive framework for the processing, storage, and sharing of personal information. In an earlier blog post on the GDPR, we defined its purpose as:

“…to protect the information and privacy of individual citizens within the European Union and the European Economic Area. The GDPR exists to put individuals in direct control of their personal data, and therefore governs every process relating to any type of personal data.”

Personal data processing

Of course, as a regulatory framework that exists to uphold the rights of data owners (that’s you, me, and everyone, by the way), the GDPR can seem a little long-winded. For the layman or business person who believes their business isn’t “about data”, we’ve got some news for you. Data, and specifically, personal data is a fundamental element of your business operations. It’s now an inescapable fact of operating a business: to run your business, you need data. We’d like to extend that, however, and outline something even truer: to run your business effectively, you need data, processes, and procedures, that are GDPR compliant. But, before you panic over the paperwork, ProPrivacy can help, as we turn your data compliance concerns into manageable tasks, and enable your company to develop and implement a GDPR compliance programme.

Special category data

But, understanding how the GDPR affects your business begins with understanding some important definitions. One of those is Special Category Data. Article 9 of the GDPR outlines and defines the term “Special Category Data” as:

“…personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation  …

But what if we need that personal data?
Oh yes, we forgot to mention: the collection of Special Category Data:

“…is prohibited.” 

The owners of tick-box systems are not rejoicing. Suddenly, on the first read of Article 9 of the GDPR, it appears that you can no longer collect personal data that’s often extremely relevant to your business needs.

Special Category Data Exceptions

That puts you into a bit of a pickle, on first glance, as Article 9 goes on to make exceptions – also known as derogations – for the collection of Special Category Data. You may breathe a little sigh of relief now, but be aware: the collection of Special Category Data can be an onerous process for a business, and GDPR compliance is compulsory. In short, however, in terms of the GDPR, you can collect, process, and store, Special Category Data, inline the derogations as outlined in Article 9 of the GDPR, and where they are permitted under national or regional law.

Of course, as a company, you’d need to make specific cases for the collection, storage, and processing of Special Category Data, so it’s not as simple as it seems. The documentation, monitoring, and process implementation would need to include data protection impact assessments (DPIAs) and further records of data processing activities.

That’s why you need a GDPR compliance partner that will help you stay on the right side of regulation. Get in touch with ProPrivacy team and we’ll help you roll out a GDPR compliance programme that covers every requirement.

Philipa Jane Farley

Written By Philipa Jane Farley

Philipa is the lead consultant and auditor at ProPrivacy.  With clients as far afield as Canada, South Africa, Kenya, Germany, Spain and other such exotic locations, besides Cork and elsewhere in Ireland, Philipa enjoys a broad view of the state of data protection, privacy and cyber security worldwide.  Philipa’s passion is manageable data compliance for SMEs.

Philipa is a qualified teacher besides holding a computer science (Bachelor of Science in Artificial Intelligence Programming) and electronic and intellectual property law (LLB) qualified. She is trained in constitutional (fundamental) rights litigation and enjoys a good debate.

Philipa has over twenty years of experience working in different sized organisations and sectors on operational, governance, risk management and compliance matters. She is an analytical and focused person that enjoys a challenge in the workplace. She loves technology, systems and people and has a passion for showing people how technology can make life easier and better. She understands that the world is driven by data today but privacy is paramount. Responsibly developed AI excites Philipa for the future.

ProPrivacy | GDPR Privacy Cyber Security in Cork, Ireland