How to correctly process sensitive data?

It is especially important for companies in the medical, cosmetics and education industries.

Special categories of data (sensitive data) are personal data revealing:

  • – racial or ethnic origin,
  • political views,
  • religious or ideological beliefs,
  • trade unions membership, 
  • genetic data,
  • biometric data to uniquely identify a natural person,
  • health care data,
  • relating to a person’s sexuality or sexual orientation.

The processing of sensitive data is allowed only in specific cases and entails more restrictive obligations of the administrator.

Additional restrictions, which will be discussed, also apply to personal data regarding convictions and violations of the law and related security measures imposed on a person.

When can sensitive data be processed?

As a general rule, the processing of sensitive data is only allowed when:

  • the person to whom the data relates has given their consent; or
  • when no other means can achieve important objectives for the public (such as security protection) or the individual (such as health protection).

The data protection law has described these purposes as follows:

  • necessary for judicial and statutory purposes
  • necessary for the administration of justice;
  • necessary to protect the vital interests of the data subject or another natural person;
  • necessary to protect children and people at risk;
  • the processing concerns personal data already in the public domain (of course made public);
  • necessary for legal claims;
  • necessary when the court is acting within its judicial powers;
  • necessary to prevent fraud;


  • necessary for archival, research or statistical purposes.

What companies does this apply to?

Sensitive data is primarily processed by government and public institutions, but also by hospitals, clinics, medical practices, laboratories, physiotherapists, dieticians, and companies offering dietary catering, restaurants, beauticians providing simple cosmetic treatments, pharmacies, companies transporting patients and delivering medicines, companies providing care for elderly and children, schools, political parties, trade unions, churches, companies providing various services for individuals who have served a prison sentence, lawyers, employment agencies, financial and credit advisors, and often also by companies completely unrelated to healthcare or politics, but simply collecting information from employees about whether they belong to a trade union.


What obligations do you have when processing sensitive data?

Firstly, you must be able to demonstrate that the processing is absolutely necessary and meets one of the conditions described above.

Secondly, processing sensitive data requires you to conduct a Data Protection Impact Assessment (DPIA).

Using this document, you should be able to assess the level of risk associated with processing sensitive data, the scale of the data being processed, and whether you are required to appoint a Data Protection Officer (DPO) – a person who is an expert in personal data and supervises and advises on the application of the UK GDPR in your company.

This obligation has been imposed on public entities without exception, while for companies, it depends on the amount of data processed. If you process sensitive data on a large scale, this obligation applies to you, but if you process it on a small scale, you are not required to appoint a DPO.

The regulations do not specify the concept of a large scale, but it is generally assumed that a single medical practice processes personal data on a small scale, while larger companies with multiple locations should be considered as processing on a large scale and therefore required to have a DPO.

On the ICO website, you can answer some basic questions about your organisation to find out whether this obligation applies to you.

Thirdly, you should develop particularly strict procedures for protecting sensitive data in your company (“Sensitive Data Policy”), and assign them only to authorised and trained employees in terms of personal data processing.

Fourthly, make sure to provide training for your employees. They should know how to apply the data protection regulations in practice.

Fifthly, since the most common cause of personal data breaches is human error, it is important to consider the flow of personal data within your company. Try to separate duties in such a way that only trained and authorised employees who are involved in processing personal data take part in such activities.

Finally, sixthly – your company most likely needs a Data Protection Licence if you operate it in the UK. You can check what type of companies are subject to this obligation on the ICO website or in our article on this topic.


Who is the Data Protection Officer?

The basic scope of responsibilities of a DPO include:

  • Providing assistance and advice on monitoring compliance with data protection laws
  • Providing advice on data protection impact assessments (DPIA)
  • Acting as a point of contact for individuals whose data is being processed
  • Acting as a point of contact for the supervisory authority, which is the Information Commissioner’s Office (ICO) in the UK.

Your DPO must be independent, an expert in the field of data protection, and can be either an existing employee or appointed from outside the organisation.

Their contact details, including their full name and at least an email address, must also be disclosed in your Privacy Policy, internal records, and reported to the ICO, where they will be visible in the public register as your DPO for your “Data Protection Licence.”

If you would like to entrust us with the role of DPO in your company, here is what we will be doing as part of this service:

  • Notify you of any legal changes related to GDPR / UK GDPR,
  • Maintain the “Record of processing activities” in accordance with Article 30 of the GDPR,
  • Provide unlimited online and phone consultations,
  • Conduct regular audits of your company (at least once a year),
  • Implement legally required changes to documentation,
  • Represent you in front of the ICO (including in case of breaches) and data subjects (Data Subject Access Requests).

Click on the DPO button to learn more about our offer

that in case of a breach of UK GDPR in your company -
you have only 72 hours to react correctly,
and in the case of telecommunications companies -
only 24 hours.

Penalty for not appointing a Data Protection Officer

If you are obliged by regulations to appoint a DPO in your business and you fail to do so, you may be fined.

The maximum penalty for a breach of UK GDPR is £17.5 million or 4% of your annual turnover, whichever is higher.

In practice, however, while many entities have been fined for this violation, the highest penalty imposed so far in the EU for failing to appoint a DPO in violation of an existing obligation is €75,000 (by the Italian Supervisory Authority).

Have a question?

Go to our service page if you need a consultation or other help related to UK GDPR

Our Service
Scroll to Top
Cookie Consent with Real Cookie Banner