The General Data Protection Law came into force in Brazil with the aim of guaranteeing citizens more privacy, giving them certainty that their information is being handled correctly. But within this law, what is considered sensitive data receives special attention and deserves even more care on the part of controllers and operators.
In this article, find out what this information is and how to protect it.
What is personal data?
Personal data is information (or a set of information) that makes it possible to identify the data subject. Examples are name, social security number, e-mail address and telephone number.
What is sensitive data?
Sensitive data is also personal, as it allows the individual to be identified, but it is a little more invasive, as it leaves the data subject more exposed.
According to the LGPD, this group includes information relating to:
racial or ethnic origin;
religious conviction;
political opinion;
membership of trade unions or religious, political and philosophical organizations;
health or sex life;
genetic or biometric.
They receive this special attention from the law because they can be used in a discriminatory way. For this reason, legislation limits the possibilities for collecting and processing it.
When can sensitive data be processed?
The main legal basis for processing data classified as sensitive is the consent of the data subject for a specific purpose. Without this declared permission from the individual, it is only possible when they are indispensable for:
implementation of policies by the Public Administration;
fraud prevention and security of the holder;
compliance with legal or regulatory obligations by the controller;
studies carried out by research organizations;
regular exercise of rights;
proteção da vida ou da incolumidade física do titular ou de terceiro;
health protection.
Precisely because it requires more care in processing, companies that collect sensitive data need to adopt stricter security measures.
How do you guarantee the security of sensitive personal data?
In order to guarantee the security of data of all kinds, it is important to implement the LGPD in your organization, for example by mapping risks and carrying out an Impact Report. But in addition, it is interesting to adopt measures and tools to reinforce Information Security, such as:
increase control of access and identities that can manipulate this data;
Privileged Access Management (PAM);
provide anonymization of data whenever possible;
among other alternatives.
In the process of adapting to the law, you will be able to map out the needs of your business in relation to the data you collect and for what purpose.
Find out how to comply with the LGPD in this article.