Understanding GDPR definitions: Special Category Data

GDPR compliance

Understanding the complexities within the General Data Protection Regulation (GDPR) is important, but it’s not always as simple as clicking “search” and hoping for the easiest result. Instead, the GDPR sets out to provide an extensive framework for the processing, storage, and sharing of personal information. In an earlier blog post on the GDPR, we defined its purpose as: 

“…to protect the information and privacy of individual citizens within the European Union and the European Economic Area. The GDPR exists to put individuals in direct control of their personal data, and therefore governs every process relating to any type of personal data.”

Personal data processing

Of course, as a regulatory framework that exists to uphold the rights of data owners (that’s you, me, and everyone, by the way), the GDPR can seem a little long-winded. For the layman or business person who believes their business isn’t “about data”, we’ve got some news for you. Data, and specifically, personal data is a fundamental element of your business operations. It’s now an inescapable fact of operating a business: to run your business, you need data. We’d like to extend that, however, and outline something even truer: to run your business effectively, you need data, processes, and procedures, that are GDPR compliant. But, before you panic over the paperwork, ProPrivacy can help, as we turn your data compliance concerns into manageable tasks, and enable your company to develop and implement a GDPR compliance programme. 

Special category data

But, understanding how the GDPR affects your business begins with understanding some important definitions. One of those is Special Category Data. Article 9 of the GDPR outlines and defines the term “Special Category Data” as:

“…personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation  …

But what if we need that personal data?
Oh yes, we forgot to mention: the collection of Special Category Data:

“…is prohibited.” 

The owners of tick-box systems are not rejoicing. Suddenly, on the first read of Article 9 of the GDPR, it appears that you can no longer collect personal data that’s often extremely relevant to your business needs. 

Special Category Data Exceptions

That puts you into a bit of a pickle, on first glance, as Article 9 goes on to make exceptions – also known as derogations – for the collection of Special Category Data. You may breathe a little sigh of relief now, but be aware: the collection of Special Category Data can be an onerous process for a business, and GDPR compliance is compulsory. In short, however, in terms of the GDPR, you can collect, process, and store, Special Category Data, inline the derogations as outlined in Article 9 of the GDPR, and where they are permitted under national or regional law.

Of course, as a company, you’d need to make specific cases for the collection, storage, and processing of Special Category Data, so it’s not as simple as it seems. The documentation, monitoring, and process implementation would need to include data protection impact assessments (DPIAs) and further records of data processing activities. 

That’s why you need a GDPR compliance partner that will help you stay on the right side of regulation. Get in touch with ProPrivacy team and we’ll help you roll out a GDPR compliance programme that covers every requirement.