PD + SD = SC. Have you worked it out yet?
For some companies, it’s a must…
For many, this time of year throws up lots of questions: Does the Easter Bunny really exist? When did Creme Eggs get so small? And did I really manage to eat all that chocolate in one sitting?
So, here’s a conundrum of our own for you: PD + SD = SC.
Don’t worry – you don’t have to be a childhood maths prodigy or algebra whizz to work this one out; just someone who’s taking their GDPR responsibilities seriously…
…For instance, any organisation that, in addition to processing customers’ personal data (PD), also processes sensitive data (SD) about them.
If that’s you (and often it’s professional service businesses such as legal firms and those involved in healthcare), then you’re dealing with ‘special category’ (SC) data which means there’s something extra you need to have in place…
SC = Special Category…
Special category data is the term used for personal data which the GDPR classes as being more sensitive (and is broadly similar to the concept of sensitive personal data under the 1998 Act).
The following categories are considered ‘sensitive’:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- data concerning health or sex life and sexual orientation;
- genetic data;
- biometric data (where processed to uniquely identify a person).
Because this type of data could create more significant risks to a person’s fundamental rights and freedoms (e.g. by putting them at risk of unlawful discrimination), it warrants special category status and therefore needs more protection.
And, as such, extra measures need to be put in place to ensure this.
Sometimes, having a lawful basis isn’t enough to process someone’s data…
You’ll know already from our ‘To process or not to process? Now that’s the question!’ blog that just to process someone’s personal data you need a lawful basis to do so.
However, if the data you’re processing also contains any of the sensitive information above, then not only do you need your original lawful basis, you also need to specify a separate condition to justify your lawful processing of the special category data.
…You also need to satisfy 1 of 10 conditions for processing special category data.
There are 10 conditions for processing special category data under GDPR – here they are in very brief format:
- Explicit consent of the data subject.
- Necessary for the carrying out of obligations under employment, social security or social protection law.
- Necessary to protect the vital interests of a data subject physically or legally incapable of giving consent.
- Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim.
- Data manifestly made public by the data subject.
- Necessary for the establishment, exercise or defence of legal claims.
- Necessary for reasons of substantial public interest and contains appropriate safeguarding measures.
- Necessary for the purposes of preventative or occupational medicine.
- Necessary for reasons of public interest pertaining to public health.
- Necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes.
Your choice of lawful basis doesn’t dictate which special category condition you must apply, and vice versa, and neither do they need to be linked – although in some cases, they are. (For example, if you use consent as your lawful basis, you can (but are not restricted to) then use explicit consent for special category processing.)
Either way, as with all of your decision-making, you should choose whichever special category condition is the most appropriate in the circumstances and determine this (as well as having it clearly documented) before you begin or recommence processing under the GDPR.
Some final thoughts to consider:
- Ensure you are clear about the grounds relied on by your organisation to process sensitive data, and check that these grounds will still be applicable under the GDPR.
- Where relying on consent, ensure that the quality of consent meets the new requirements in relation to how you should obtain it.
- Consider whether rules on children are likely to affect you, and, if so, which national rules you will need to follow when obtaining their consent.
- If you process substantial amounts of genetic, biometric or health data, ensure you pay attention to national developments as Member States have a broad right to impose further conditions – including restrictions – on the grounds set out in the GDPR.
Do you have everything covered?
Hopefully, with only a couple of months left until GDPR Day, you’ve got around to reviewing everything and ensured that you’ve not overlooked any of your obligations!
However, if you’d like to discuss any queries surrounding special category processing or want to involve us for a final once-over of your GDPR preparations, please get in touch.
And just in case you were wondering whether we’re algebra whizzes, there’s a simple answer to that: we’re most definitely not. In fact, until a recent quiz, we’d always believed that E=mc² was best known for being an 80s hit by Big Audio Dynamite.
Until next time...