Do you hold special category data?

What is Special Category Personal Data?

Special category data is information about an individual which is particularly sensitive. This includes personal information, such as:

  • race or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying someone
  • physical or mental health
  • sex life or sexual orientation

Further regulations apply to information that relates to an individual’s criminal convictions and offences.

 

What Sort of Organisations Hold Special Category Personal Data?

All sorts of organisations hold this kind of information. If you are an employer, you may have information about your employees’ trade union membership or about their health, such as sick leave. Obviously, if you work in the health industry, whether that be in a hospital where major operations are carried out or a beauty salon providing eyelash extensions, your organisation will hold special category information about your clients. Many other industries also hold large amounts of this kind of data.

 

What Are Your Responsibilities if You Hold Special Category Personal Data?

Firstly, because this data is particularly sensitive you must have both a lawful basis and a separate condition for processing this data under the General Data Protection Regulation (GDPR). Some of the conditions are:

  • You have the individual’s explicit consent
  • The individuals are incapable of giving consent and it is in their vital interest
  •  It is necessary to establish, exercise or defend of legal claims or the courts are acting in their judicial capacity

There are 10 conditions in total – these are just a few examples.

You should determine your condition(s) for processing special category data and very clearly document it in order to comply with the GDPR.

 

Do You Need Additional Security if You Hold Special Category Data?

This data must be kept secure. The ICO recommends a layered approach to data security. For example: locked and alarmed buildings; locked filing cabinets; locked computers; encrypted files; strong passwords which change regularly. A Data Protection Professional can advise on the security measures you should take.

 

Is the Retention Period for Special Category Data Different?

The GDPR says that you should only keep personal information and special category personal data for as long as necessary for the purpose of processing. This means that the retention periods vary and depend on the type of data and why you are processing it. For example, personal data collected in relation to the performance of a contract is often retained for 6 years, whereas personal data relating to births is retained for 25 years. It is important to have a retention schedule setting out the different types of data you hold, and what the retention period is for each type.

 

What Are the Penalties for a Special Category Data Breach?

The penalty for a data protection breach depends on which Article of the GDPR has been breached. However, if the breach involves this type of data then the ICO may treat your organisation more harshly, and issue a higher penalty. These kinds of breaches can also have a negative effect on reputation.

If you are unsure whether you hold this type of data or worry that you may not be adhering correctly to the GDPR, get in touch with our team for support.

You can also find out how we help companies like yourself in managing your special category date by reading our case study.

related posts

Jack Penaligon

How to Respond to a Data Breach: A Practical Guide

This blog provides an overview of the practical steps organisations can take to reduce the impact of a data breach once it has been identified. It focuses on the actions that should be taken during the early stages of an incident to contain the breach, protect affected individuals, and meet regulatory requirements.

The article discusses a range of mitigation measures, including contacting unintended recipients of personal data, securing the deletion or recovery of exposed information, isolating compromised systems, and maintaining clear records of actions taken. It also explores the challenges posed by both digital and physical data breaches, highlighting the importance of balancing operational needs with data protection obligations.

Finally, the blog emphasises the value of preparation, explaining how established procedures, communication templates, and predefined response plans can help organisations respond more effectively and demonstrate accountability during a regulatory investigation.

Read More »
Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation