• February 02, 2023
  • 5 min read

What Is Sensitive Data? Definition, Types, & Protection

John Hetherton

Head of Compliance

What is sensitive data, and how should you handle it? Are there things you can do from the get-go during app development to build better security for your sensitive data?

If these are the kinds of questions you’re asking, you’ve come to the right place.

We envision a world where everything is encrypted and are building our platform to enable that seamlessly. However, we are currently constrained by contemporary cryptography—and there can sometimes be a tradeoff between security and performance. That’s why we suggest you start with encrypting and protecting your most sensitive data.

But what is sensitive data? Good question.

What Is Sensitive Data?

Sensitive data refers to information that is private, confidential, or otherwise protected by law. However, the specifics of what sensitive data entails differ by location.

In the European Union, Article 9 of the General Data Protection Legislation (GDPR) contains a list of special categories of personal data that are subject to additional protections.

These categories are sensitive data types revealing:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership

They also include:

  • Genetic data,
  • Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health
  • Data concerning a natural person's sex life or sexual orientation

In the United States, the definition of sensitive data varies widely across legislation but is broadly defined as:

  • Personally identifiable information
  • Financial information
  • Medical information
  • Information about children under the age of 13

Handling and protecting sensitive data is critical—there can be severe consequences if it falls into the wrong hands. Data breaches can lead to identity theft, financial fraud, and significant penalties from regulators.

When building out your application, it can help to start thinking about how this data flows through your build from the very start. One way of classifying sensitive data is by looking at the potential harm a breach of that data could cause. Data that can be used to commit fraud or steal someone's identity is highly-sensitive by definition, and often this type of data is called PII (personally identifiable information).

What is PII (Personally-Identifiable Information)?

PII (Personally-Identifiable Information) is a specific category of data. While its precise definition varies by jurisdiction, it can be generally defined as any information that could be used to identify an individual.

Examples of PII include:

  • Name
  • Address
  • Social Security Number
  • Driver's Licence Number
  • Passport Number
  • Credit Card Number

Other types of information that can be used to authenticate an individual, such as fingerprints and facial recognition data, can also be considered PII.

PII can also include online identifiers, such as IP addresses, email addresses, or usernames. In some cases, a combination of different pieces of information can also be considered PII, such as an individual's first name combined with their date of birth and postcode. These 'pseudo-identifiers' are more likely to be considered PII in the EU compared to the US.

How to Handle Sensitive Data to Prevent Exposure

The law requires companies and organizations that handle sensitive data to implement specific security measures to protect it. These measures include secure storage and restricted access to the data. However, even with these measures, sensitive data can still be vulnerable to breaches.

This is why it's essential for companies to take steps to protect their sensitive information. This includes:

  • Strong passwords
  • Multi-factor authentication
  • Fine-grained and regularly reviewed authorization

However, these measures aim to treat the symptoms of the issue rather than the root cause. They can offer you additional security but will never fully protect you.

Encryption, the process of using a key to convert plaintext data into an unintelligible string, goes one step further and actually conceals data within a database. If a malicious actor gains access to your encrypted database, there is no way they can read the data without the decryption key.

It's also vital for companies to be transparent about how they collect, use, and protect sensitive data. Companies must inform individuals about what data is being collected, how it will be used, and who will have access to it. Individuals should also be able to easily opt out of data collection or request to have their data deleted.

Protect Your Sensitive Data

With this knowledge, how will you think about sensitive data when building your applications? At Evervault, we believe sensitive data should be protected by default. With our platform, you can protect sensitive data without compromising usability.

Check out this guide to the best practices for preparing your data for encryption. If you need help getting started, send us a note, and we’ll be happy to help.

John Hetherton

Head of Compliance

Related Posts