This is the fifth blog topic about the impact of the General Data Protection Regulation (GDPR) on Consumer IAM projects. This blog is part of a series that touches on important topics for IAM experts who have an interest in the new EU regulations. This week’s topic is about how to handle ‘special categories of personal data’ often referred to as ‘sensitive personal data’.
The new GDPR prohibits the processing of certain categories of personal data. The processing (collecting, storing etc.) of these ‘sensitive personal data’ is in most circumstances not allowed. Although there is a list of exceptions to this general rule, sensitive personal data is almost always off limits for non-public organisations in relation to marketing.
What is sensitive personal data?
What distinguishes sensitive personal data from other personal data? Personal data, in general, is data that enables us to, directly or indirectly, identify a natural person by a common and often-used identifier such as a name, identification number, location, or online identifier (an IP address, for example).
What makes certain personal data fall into the category of sensitive personal data is that this type of data reveals racial or ethnic origin, political opinions, trade union membership and religious or philosophical beliefs, or the data concerns health, sex life and sexual orientation. Finally, genetic and biometric data can also be sensitive personal data.
Sensitive personal data – exotic data?
On the surface, this type of data does not seem to play a large role in communications and transactions between a business and a consumer. When you look closer, ‘sensitive personal data’ is not as exotic as one might think – just look at how a smartwatch uses this type of data or how smartphones receive push notifications. To many, these devices act as a personal health coach. Collecting the data and offering suggestions to feel better and improve one’s health situation and endurance is – under the new legislation – subject to tight restrictions. The same restrictions apply to offering things like personal advice to do exercises, take a break, or drink more water or less coffee when the advice is based on collected personal data. Why? Because GDPR considers data concerning your health to be ‘sensitive’.
Consent to a specifically mentioned purpose
Will this be the end of all services connected to smart devices that aim to improve your health, offer coaching, and monitor progress for runners and cyclists? By no means does GDPR necessitate that these services will go away, this new industry and GDPR can successfully coexist. However, the provided online health monitoring businesses must go to great lengths to acquire the explicit consent of data subjects (consumers) for the processing of their health-related data. Make sure that the consent is specific. The consent for the processing of personal data should be requested for a specifically mentioned purpose and should be limited to only those personal data strictly necessary for this purpose. The OK by the consumer must be ‘freely given, specific, informed and unambiguous’ meaning that there is little room for creative editing – wording such as “I agree to the processing of these health data… (number of heartbeats p/m, hours slept, distances walked per day etc.) for purpose x or y” must be crystal clear! It is not enough to offer a general consent confirmation that reads “by using this app I agree to the collecting and processing of any personal information for any purpose that may be necessary for this app to function properly.”
Obviously, there are cases where processing sensitive personal data is essential. For instance, employers may process such data when allowed by EU or national law or collective agreements. Another exception to the general rule is when it involves people’s vital interests and he/she can not give consent, such as when someone gets into a car accident and doctors need to find out about the person’s blood type in order to treat him/her, but the patient is unconscious.
The new regulation also offers exceptions to not-for-profit organisations with a political, philosophical, religious, or trade-union function. As an example, say that you want to become a member of a political party. Most people would consider their political opinions to be sensitive data and so does the GDPR. The political party is granted an exception to keep your contact details and does not need to ask your consent, but they are not allowed to disclose that you are a member.
Imagine that someone publicly conveys these political opinions on social media, using Twitter or Facebook posts? The GDPR has anticipated this scenario. Processing of this sensitive personal data is allowed because the data subject made his or her data manifestly public. No additional consent must be given.
There are other specific situations in which processing of sensitive personal data is allowed without additional consent. For example, it can be done in the context of judicial proceedings. The terms of GDPR also describe situations in which the processing of data can be necessary for reasons of substantial public interest as in the case of public health when serious cross-border health threats or disease outbreaks occur. When the development of preventative, occupational, or medical diagnostics (or providing health, social care, or treatment) is at stake, there is more room for collecting and processing sensitive personal data.
What are the implications for your organisation?
For some organisations, the new GDPR legislation may not change much at all if their processing practices were already compliant with high-standard international privacy and data protection guidelines and laws.
In all other cases, data controllers will face major changes due to the GDPR legislation. They should implement measures to safeguard the rights of data subjects. We already see organisations stepping up their efforts to comply with new regulations, for instance by appointing Data Protection Officers (DPO’s) or privacy professionals to help raise their standards, and by implementing organisational and technical measures. That in itself is good news for all parties involved!
Next time, we will cover ‘Privacy by Design’ and ‘Data protection by Design’.
The GDPR in all official European languages can be found here:
In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on IAM.
Corné van Rooij
VP Product & Strategic Alliances at iWelcome
Corné has been working in the security market for more than 20 years of which the last 15 years at two well-known Identity Management Vendors.
Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via Sales@iWelcome.com