What separates the General Data Protection Regulation (GDPR) from its predecessors is its ability to recognize how the data landscape has changed over the past two decades. One way the regulation has accomplished that is by combining privacy protection with modern-day data processing techniques. And it has done so primarily through its recognition of special categories of data. The GDPR Special Categories of Data is a subsection of personal data that regulators have deemed as extra sensitive. This subsection of personal data requires additional security measures that ensure the privacy of the subject being processed.
This article will discuss that data and how you as a processor can best protect it.
Special Categories of Personal Data
What makes data special? According to the GDPR, special category data (SD) is personal data that, if leaked or lost, could have serious privacy concerns for the data subject. In the next section, we will explore the difference between regular personal data and special categories.
The kind of data that the GDPR considers “special category” are listed below:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Biometric or genetic data
- Health data
- Data concerning sexual orientation or sexual life
The privacy risks surrounding special categories of data go beyond identity fraud. Using the data mentioned above to identify a data subject could have adverse effects and could cause:
- Reputational damage or embarrassment
- Discrimination or personal harm
For this reason, the regulation distinguishes special categories in an article of its own and outlines restricted means of processing, which we will discuss later.
Personal Data vs. Special Category Data
What is something that you own but everyone else uses?
Your name is a form of Personally Identifiable Information (PII) but does not fall under special categories. Personal data and special category data are both a form of PII. The difference is that the regulation puts more restrictions on the processing of special categories.
As we mentioned prior, exposure to SD can significantly impact the data subject’s rights and freedoms. However, this is not the case for personal data; finding out someone’s name is unlikely to have a massive impact on their rights and freedoms.
We should clarify that the “rights and freedoms” do not refer to the ones mentioned in the GDPR (for example, the Right to be forgotten). But instead, refer to the general rights and freedoms afforded to all EU citizens; this is what makes the special categories data “special.”
Some examples of a general right would be:
- Freedom of thought, conscience, and religion
- Freedom of expression
- The right to bodily integrity
The idea being that processing this kind of data could interfere with these types of rights and freedoms. Hence, organizations need to take extra care when dealing with this type of data.
While other personal data types are also considered sensitive, the loss would not raise the same issues as special categories would.
You will still need to apply the same safeguards to both types of data. The reason being that in a data leak, aggregated personal data can give attackers access to your customers’ digital livelihood, exposing them to all manner of identity fraud and financial loss.
Lastly, unlike personal data, you cannot process special categories under the legitimate interest category, and lawful processing is a more stringent requirement. This would only apply to businesses anyway, and government bodies have slightly different rules, which we will explore next.
When Can You Process Special Category Data?
There are rare cases when a business can process this category of special data. The lawful processing of special category data falls under article 9 of the regulation.
Within the article, the processing of this kind of data is strictly prohibited unless you can satisfy the article’s conditions. There are complicated legalese in the article, so we will simplify it, but you can find it here if you wish to check out article 9 in its entirety.
If you are a business, you can only process this kind of data if you have express consent from the data subject. There is no legitimate business interest that will allow you to process special categories lawfully.
And it is essential to mention that even with express consent from the data subject, member states can still explicitly prohibit the processing at their discretion. Member states are just EU countries included within the regulation.
This means that even though the French government allows French data subjects to consent, the German government might not. Please keep in mind that this is just an example, so please check with local law enforcement whether this is possible or not, and don’t hesitate to contact an expert for compliance advice.
However, there are cases where processing is still lawful, although consent is not received. In brief, the exceptions are:
- Obligations in the field of employment
- Protect the vital interest of the data subject, and the data subject is incapable of giving consent.
- Foundation or non-profit with a religious, philosophical, or trade union membership aim, with a legitimate interest (keeping in mind that appropriate safeguards must still be employed)
- Personal data that is manifestly made public by the data subject
- Courts acting in their judicial capacity
- Reasons of substantial public interest
It is unlikely that business will satisfy any of these reasons. In the cases that express consent is given, and whether or not you have other lawful grounds to process that data, the protection of data falling under the designation of special categories is important.
Protecting Special Category Data
Protecting special categories does not differ that much if you are already employing high-standard security methods. But some precautions must be highlighted when dealing with processing.
The GDPR outlines two main safeguarding techniques that will also result in compliance if implemented correctly:
- Organizational Safeguards
- Techncial Safregaruds
However, there is no specific mention of how the organization should implement these safeguards. Neither is there any mention of what the organization should be using (in terms of software solutions or method).
But the cyber industry has worked closely with regulators. It is consistently developing new frameworks and agreeing on best practice methods, which we will take you through in the coming sections.
When it comes to protecting special categories of data, the organizational safeguards will form most of the strategy. Managerial safeguards are the techniques of data protection that are on a company-wide scale.
It doesn’t look at the information system in isolation but rather as a living system that involves many moving parts.
You will often see policies as the main driver behind organizational safeguarding implementation.
Risk-Based Approach To Special Category Data
The GDPR stresses the importance of taking a risk-based approach to security. Essentially, organizational security becomes a good management practice over applying the latest software solutions as a catch-all to your security needs.
This is especially true regarding special category processing. Human error is still the main culprit of data breaches. Applying appropriate technical safeguards is one thing, but if a staff member ends up losing the data in an unencrypted storage device, the whole exercise is pointless.
So when we refer to a “risk-based approach,” we mean realizing all the potential ways the information system could fail for reasons other than technical cyberattack (i.e., breaches bypassing encryption).
What does it look like to have a risk-based approach to select categories of data protection?
Generally, you will take a risk-based approach through enacting an organizational security policy.
Here are some examples of organizational policies regarding the processing of special category data you want to employ.
Access Controls: you should limit who has control over the special categories of data. Access should only be authorized to personnel who require it for their job function. Another form of access control can come from a password management policy. All staff who have authorized permission will need to adhere to the password management policy as an extra security layer. Employing these additional steps will show good faith with the regulators and keeping you on the right side of the law.
Privacy Risk Assessments: All staff members involved in processing special categories will need to be aware of the privacy risks associated with processing this kind of data. When forming the risk assessment, you should involve as many personnel as possible and keep them up to date on all policies regarding:
Involvement in these business operations will help mitigate privacy risks.
When in doubt, framework it out: you don’t need to build a security strategy from the ground up. Take advantage of the many security frameworks that established organizations have worked hard to develop. Many industries already use frameworks like:
- CIS CSC
- NIST 800 SP
- ISO 27001
- NIST Cybersecurity Framework
Take some time to examine which one will work best for you, and use it as a road map to security implementation. Many will already cover necessary data protection and more. In short, it will help you achieve privacy by design and default.
Staff Awareness Training
Enacting policy is one thing, but no one following it is an entire challenge in itself. Designing an acceptable security policy will only get you so far. You need to make a concerted effort to ensure all staff is on the same page as you.
A staff awareness training program will do just that. The policies designed through implementing organizational safeguards will guide you in developing a training program. The policies essentially become the training requirements.
Coupled with the proper use of technical safeguards (discussed in the next section), you will have a complete staff awareness training program.
The technical safeguarding of special categories of data will involve the use of software solutions.
The GDPR does mention the use of technical safeguards, but only one article mentions the direct use, which is encryption. However, other forms of safeguarding go beyond just encrypted or pseudonymization of personal data, which we will explore in this section.
The number one technical safeguard is the use of encryption. Encryption is directly mentioned in the regulation, so you can’t discuss technical safeguards without talking about encryption methods.
Some common type of encryption methods that would be appropriate to use in protecting special categories of data are:
- PKI infrastructure: critical public infrastructure is a common enterprise encryption solution as it works well for sizeable private information systems. It is adaptable to the number of users, and it is also commonly used on the internet today.
- SHA 256 and Hashing: Hashing is an encryption technique used in password protection. Some blockchains will also use hashing cryptography as a means of security, and it transfers well to data protection.
- Pseudonymization: another technique mentioned directly in the regulation. This process involves removing specific “identifiers” from the data. This way, attackers who do get a hold of the data cannot make a logical assumption about to whom the data belongs.
The main goal of encryption is to ensure the integrity of the special categories of data. Encryption ensures the “message” or data, in this case, has not been tampered with or altered in any way. It also means that any breach would mean that the data remains secured behind an encryption wall.
Ideally, the encryption would stop the breach from happening, but it is best to be extra secure and encrypted the data itself.
Social proofing is an organizational issue, but the technical aspects also make it a technical safeguard. Essentially, social proofing is ensuring that your personnel doesn’t fall prey to social engineering.
This form of safeguarding should be the main focus of the staff awareness training program. However, it should not be limited to only social proofing (staff training in proper workstation use and the appropriate handling of sensitive data is vital).
Some techniques of social proofing involve:
- Spam and phishing awareness: staff should be aware of links and spam emails and how to detect and avoid them.
- Social media phishing: hackers are becoming more sophisticated. They will target staff members and attempt to befriend them to access sensitive parts of the information system.
The staff must know social proofing techniques when dealing with special categories of data, as the potential privacy risks attributed to this type of data are very high.
You will need to take extra precautions if you are processing special categories of data and ensure that you are legally allowed to process it in the first place. However, the security process of protecting that data does not differ too much from the standard security approach.
As long as you are always employing best practice models, you can assure your data subjects that their data protection is your top priority.
And if you are looking for the best practice approach to data protection, get in contact with RSI Security today.
We can help you reach your GDPR compliance goals. Whether you are processing special categories of personal data or need help developing a compliance strategy, RSI security is here for you. Schedule a consultation here.