GDPR & Special Category Data – What You Need To Know

Organisations should now be looking to review their processing of special category personal data and to ensure that any special category data that is being processed is processed lawfully, fairly, securely as well as in a transparent manner.

The ICO has recently published new guidance on the risks associated for those organisations which process special category personal data (SCD). The ICO’s Director for Regulatory Assurance has also published a blog which highlights the risks to an individual’s fundamental rights and freedoms should something go wrong when processing SCD.

This emphasis on SCD and the publication of new guidance is a clear warning to data controllers that special category information must be given extra protection and handled with much more care.

It is also clear that following this guidance, that if SCD is misused, lost, or stolen because of poor data protection practices, or a failure to fully appreciate the need to keep SCD secure, the likelihood of regulatory action by the ICO is very high.

What is Special Category Personal Data (SCD)?

The General Data Protection Regulation (GDPR) defines SCD as follows:

Organisations must be aware that if they are collecting (processing) SCD. They should also be able to demonstrate that they have subjected the processing of SCD to rigorous risk assessments and that the data is securely held. Part of the risk assessment should be to question whether the processing of SCD is even necessary.

What GDPR Documentation says

Article 6 of the GDPR requires that organisations have a valid lawful basis for processing personal data. There are six lawful bases for processing (consent, contract, legal obligation, vital interests, public task and legitimate interests).

Article 9 of the GDPR prohibits the processing of special category data. There are 10 exceptions to this prohibition which are referred to as ‘conditions for processing special category data.’

Organisations must ensure that their processing of SCD is lawful and that one or more of the above conditions applies.  This must be documented.

Article 30 of the GDPR requires organisations to document their processing activities. This includes the categories of personal data that are processed and the retention categories for the different categories of personal data. Also, organisations should document a general description of their technical and organisational security measures both physical and digital (encryption, access controls, training).

In conclusion, organisations should frequently review their processing of SCD. Is it necessary to process SCD? If so, the reasons should be documented and there should be evidence of an enhanced risk assessment.

In the words of the Director for Regulatory Assurance at the ICO “It’s worth the time to get it right.”

As always, if you need any assistance with handling your own data as an organisation, do not hesitate to get in touch with us. We have a range of remote DPO Services that we can make bespoke to you so you can feel confident in how data is handled within your organisation