Special category data under the GDPR

Broadly speaking, there are two main categories of personal data under the GDPR, general personal data and special category personal data.

The Information Commissioner’s Office (ICO) has issued updated guidance for controllers around handling special category personal data.

What is special category personal data?

It includes personal data revealing or concerning someone’s:

• Racial or ethnic origin;
• Political opinions; religious or philosophical beliefs;
• Trade union membership;
• Genetic data;
• Biometric data (where used for identification purposes);
• Health; sex life; or a person’s sexual orientation.

Updated guidance around lawful processing of special category personal data

The updated ICO guidance provides more detail to data controllers to ensure they remain compliant when processing special category data.

As a data controller you must always ensure that you have a GDPR lawful basis to process data under Article 6, and when you are processing special category data you also need:

  • An Article 9 condition for processing; and
  • Potentially an associated Data Protection Act (DPA) 2018 Schedule 1 condition.

In some cases you also need an appropriate policy document in place in order to meet a UK Schedule 1 condition for processing in the DPA 2018. The ICO has included a template appropriate policy document as part of the updated guidance. This is a short document which is used to outline your compliance measures and retention policies with respect to the data you are processing.

You need to carefully consider the purposes of your processing and identify which of these conditions are relevant.

It’s important to keep records, including documenting the categories of data that you process. In addition, consider how the risks associated with special category data affect your other obligations under the legislation, for example data minimisation, security and transparency.

Lastly, keep in mind that you need to complete a data protection impact assessment (DPIA) for any type of processing which is likely to be high risk. You must therefore be aware of the risks of processing the special category data.

Visit Markel UK for small businesses and freelancers' guide to GDPR.