Personal Data vs. Sensitive Data – General Terms

The digital industry is a treasure trove of sensitive information. Organizations today rely on collecting and storing sensitive and personal information to perform business-critical operations. Typically, such data includes collecting credit card payments, completing bank transactions, and tracking packages. Fortunately for consumers, however, numerous regulatory bodies worldwide have recognized the confidentiality of such data. As a result, regulators are enforcing various data privacy laws such as GDPR, HIPAA, NESA, CCPA, and many others to protect the integrity and confidentiality of such personal data. Thus, companies that collect, store, or process personal data are legally required to take the necessary measures to protect personal data.

The fine line between personal and confidential information

Is sensitive data the same as personal data? No, sensitive data has more stringent requirements that must be met for the organization to process it. In turn, the conditions for processing personal data are different. In a nutshell, personal data includes data that identifies an individual. Full names, birthdays, telephone numbers, home addresses, email addresses, and bank details fall under personal information. It is standard procedure for most apps and websites to collect this data, as it is required to make payments or support subscriptions.

Confidential information is personal information whose disclosure could leave an individual vulnerable to discrimination or harassment. While laws generally protect personal information, they pay particular attention to sensitive information because of its potential impact on an individual’s livelihood, quality of life, and capacity to engage in everyday tasks. It would seem simple, and that’s the end, but if it was so simple, why would people pay so much attention to it, right?

What is Personal Data?

We may define personal data as any information we can use to identify an individual. This includes name, number, address, age, email ID, etc. In addition, even personal data that categorizes your presence, such as CCTV footage, fingerprints or biometric prints, eye scans, etc., can be part of the information. Even data or information combined with other relevant information can lead to the identification of an individual, which can be classified as personal data.

However, it is essential to note that not all data can be personal. For example, a name itself only becomes personal data when that information is combined with data such as last name and phone number to identify an individual accurately. Organizations typically collect and store several pieces of information about data subjects, and this information can be considered personal data if they are put together to identify the data subject. Some of the most common examples of personal data include first and last names, home addresses, email addresses, ID numbers, location data, Internet Protocol (IP) addresses, etc.

What is Sensitive Personal Data?

Sensitive personal data refers to a particular category of personal data that requires additional security and special processing requirements. According to the GDPR, sensitive personal data includes:

• Political opinions
• Religious or philosophical beliefs
• Racial or ethnic origin
• The genetic information about an individual’s inherited or acquired traits
• Trade union membership
• Sexual orientation or sex life
• Biometric data such as fingerprints
• Data about a person’s physical or mental health

The General Data Protection Regulation outlines guidelines for collecting and processing sensitive personal data of EU citizens. There are separate rules for controllers and processors handling special categories of data. Processing such data poses risks to human rights. Therefore, additional security measures are necessary to protect sensitive personal data.

Obtaining consent and rules for storing sensitive personal data

A common misconception about the GDPR is that organizations need consent to process personal data. However, consent is only one of six lawful grounds for processing personal data. Explicit consent is required for sensitive personal data. Organizations that haven’t thoroughly studied compliance requirements risk getting some problems; enforcement action, regulatory fines, and loss of customers. The UK’s Data Protection Act (DPA) provides guidelines for storing sensitive personal data. Hard copies must be stored in a locked drawer or filing cabinet. Digital files containing sensitive personal data must be encrypted and stored in a folder with limited access controls. Additional conditions, safeguards, and exemptions are outlined in Schedule 1, Part 1.

Sensitive data exposure

Organizations and companies can expose sensitive data when the database storing the information is inadequately protected due to weak encryption, software errors, or employee mistakes. This can include healthcare and medical information, bank data such as account details, financial status, passwords or PIN codes, home or work address, and contacts. Data exposure differs from data breaches, where communication is accessed without consent or authorization. In data breaching, personally identifiable information such as name, contact details, bank account number and statements, and ATM pin is used by hackers to misuse data and gain money.

Differents for data security, privacy and compliance

The difference between personal and sensitive data lies in the level of harm that can result from exposure. For example, crooks can use personal data for spamming, phishing, or identity theft. In contrast, sensitive data can lead to more severe and private consequences, such as financial loss, medical identity theft, or reputational damage. Using sensitive data, hackers can inflict damage on you. Legal implications concerning collecting, using, and disclosing personal and sensitive data differ. Under HIPAA, laws protect explicit categories of sensitive data, such as health data. Personal data becomes sensitive to specific types or attributes that require special protection due to their potential impact on an individual’s privacy, security, or fundamental rights. The distinction between personal and sensitive data may vary based on legal frameworks and contexts. However, three standard criteria can classify personal data as sensitive: sensitive categories, contextual sensitivity, and potential for harm.

An organization needs to understand and classify the types of data it collects. Once you know the subtle differences between personal and sensitive data, you can review your obligations under GDPR. You can protect confidential and sensitive personal data based on the type of data processed. This knowledge will enable you to secure data and take appropriate steps to conserve all sensitive information to prevent incidents of a breach.

The post Personal Data vs. Sensitive Data: What is the Difference? appeared first on Gridinsoft Blog.

The Austrian Data Protection Authority has stated that the use of the Google Analytics statistics collection system violates the General Data Protection Regulation (GDPR) and poses a privacy risk.

NOYB (none of your business) founder Max Schrems, who successfully sued Facebook for violating the privacy of European citizens in the past, scored another victory, this time against Google. According to a court decision, Google Analytics is declared illegal for use on European websites.

The story began on August 14, 2020, when Max Schrems went to an Austrian site dedicated to health problems. The website used Google Analytics and the user data was sent to Google. With the help of the collected data, the tech giant was able to identify the user. On August 18, 2020, Schrems complained to the Austrian data protection authority.

During the trial, which lasted about two years, it became known that Google “is subject to surveillance by US intelligence agencies, and companies may be ordered to disclose the data of European citizens.” The collection of personal data was supposedly carried out using cookies.

The consequences could be far-reaching. Although the complaint concerned only one website publisher, it was one of 101 complaints filed at the same time a year and a half ago by NOYB. This massive offensive has prompted EU data protection authorities to coordinate their actions, so there is a good chance that up to 100 such decisions will be made.

If so, then websites operating in Europe would have a strong hurdle to stop using Google Analytics and other cloud services in the US.

Many companies in Europe may have to remove Google Analytics from their sites or risk being fined for violating the GDPR.

According to Google, in 15 years, US law enforcement agencies have never filed a request to provide information collected using Google Analytics. In addition, the tech giant invited the EU and US authorities to agree on a new data exchange model.

Let me remind you that we also wrote that Google developers told how they will implement Manifest V3.

You might also be interested to know that Hackers attacked Microsoft Exchange servers of the European Banking Authority.

The post Companies in the EU will have to remove Google Analytics from their websites appeared first on Gridinsoft Blog.