Description
People have always been leaving information in their wake, but digitalisation has increased the risks. In the physical world, the amount of personal data we provide is limited and more visible, since its circulation is limited by material barriers. With the expansion of the digital environment, that scenario changed completely. Today we constantly generate and disseminate data: from a simple search on the internet to the use of applications, social networks or online services. Each interaction generates information that says a lot about who we are and that adds to the large amount of data we already provide in the physical world, often without us being aware of it.
Understanding how this information is protected, especially when it includes sensitive data, becomes essential for public and private organizations, for regulatory reasons, but also for ethical reasons. In this post we give you some keys.
What is personal data? What about sensitive data?
In the field of data protection, it is essential to understand what type of information we handle and why its processing requires special care. Personal data is any information that allows a person to be identified, directly or indirectly. This ranges from obvious elements – such as name, address or an identification number – to less intuitive ones – such as location data, IP addresses or combinations of information that, together, allow an individual to be recognized. Protecting this data is essential to ensure privacy and each person's right to control how their information is used.
Within personal data there is a particularly sensitive group: sensitive data. This is information that reveals intimate aspects of a person's life, such as their ethnicity, political opinions, religious or philosophical beliefs, trade union membership, health, life, or sexual orientation. Due to their nature, inappropriate use of this data can lead to discrimination, stigmatization or emotional harm, so they require an even stricter level of protection.
Understanding the difference between personal data and sensitive data is a key step in designing effective security strategies and building trust among users.
When an organization correctly classifies the information it handles, it can apply protective measures tailored to the actual risk and demonstrate a firm commitment to privacy.
Regulatory framework for personal data
The General Data Protection Regulation (GDPR) sets out how personal data should be processed within the European Union. It unifies the rules throughout the territory, reducing bureaucracy and increasing legal certainty for organizations.
Its main objective is to protect people when their data is processed by public or private entities, ensuring that they retain control over their information and that it is managed in a secure, transparent and respectful way with their rights. To this end, the GDPR introduces principles such as data minimization, purpose limitation, accuracy, integrity, and confidentiality, which oblige organizations to collect only the information that is strictly necessary and to protect it appropriately. In addition, the GDPR expands and clarifies the rights of individuals. For example, it requires clear information to be provided on how and why data is processed, defines the right to portability (the transfer of data between providers) or to be forgotten (the deletion of data when there is no longer a legitimate basis for processing it), and establishes the obligation to inform authorities and affected individuals in the event of breaches or serious incidents.
Among the measures it establishes for organisations that process data in the EU, the following stand out:
- Data Protection Officer mandatory in certain cases (large-scale processing or special categories).
- One-stop-shop to simplify supervision in cross-border cases.
- Data protection by design and by default.
- Use of techniques such as pseudonymization and encryption to minimize risks.
- Impact assessments when the treatment may pose a high risk.
- Clear rules for international transfers through adequacy decisions, standard clauses or binding corporate rules.
When it comes to sensitive data, the GDPR raises the level of protection even further. Their processing is generally prohibited, except in very specific circumstances, and usually requires the explicit consent of the data subject. In addition, organizations must implement strengthened measures, such as impact assessments, strict access controls, or specific security protocols.
In Spain we also have the Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD) that complements the Regulation: the GDPR establishes the general European framework and Spanish law develops and adapts it to the national context. Among its contributions are the regulation of the figure of the Data Protection Officer, detailed rules on labour relations (including video surveillance or geolocation), and rules for the processing of data by public administrations. It also develops the sanctioning regime and recognises a set of digital rights such as digital disconnection, internet neutrality or education in digital skills, thus configuring a framework adapted to the Spanish reality.
The European Union is currently working on a proposal to revise the data regulatory framework in general, which implies that some definitions and aspects of the GDPR could be updated in the coming months. This process arises from the need to adapt regulation to an environment marked by the rise of artificial intelligence, the massive use of data and the emergence of new treatment models.
Institutions that help you know how to protect personal data
Given the complexity of this topic, there are a number of agencies and institutions that help ensure regulatory compliance, providing useful guides and references.
The European Data Protection Supervisor (EDPS) is the independent authority responsible for ensuring that the institutions and bodies of the European Union respect the fundamental right to data protection. Their work ranges from monitoring compliance with the GDPR at the institutional level to issuing recommendations, opinions and guidance on new policies and technologies that may affect privacy, as they have done with the recent Digital Omnibus.
In addition to information on audits, court proceedings, etc., they also provide guidance on specific topics, such as recruitment, evaluations, use of computer equipment in the workplace, and disciplinary procedures.
The European Data Protection Board (EDPB) is the body that ensures the consistent application of the GDPR throughout the European Union. It brings together the national data protection authorities of the Member States and the European Data Protection Supervisor to ensure a uniform interpretation of the regulations. Its functions include issuing guidelines, recommendations and opinions that help organizations and administrations to correctly apply the Regulation. In addition, the EDPB adopts binding decisions in cross-border cases, coordinates the supervision of large European information systems and publishes relevant reports and news on data protection developments in Europe.
On its website it includes a section with various documents focused on good practices. It also offers codes of conduct and certification mechanisms, seals and brands, among others.
The Spanish Data Protection Agency (AEPD) ensures compliance with data protection regulations in the country. Its mission is to guarantee the fundamental rights of individuals in relation to the processing of their personal information, by monitoring that companies, public administrations and organisations comply with the GDPR and national legislation. In addition to its sanctioning function, the AEPD acts as a reference body for interpreting regulations, resolving legal doubts and promoting a culture of privacy in all sectors.
The AEPD makes a wide variety of practical resources available to citizens and organisations to facilitate regulatory compliance and improve the management of personal data. These include thematic guides (including some focused on innovation and new technologies), self-assessment and management support tools, model information clauses, guidelines for carrying out impact assessments and specific materials for sectors such as health or public administration. It also offers channels to exercise rights, report security breaches and access training programs and awareness campaigns. These resources allow any entity to apply good practices, strengthen its security measures and guarantee a responsible and transparent treatment of personal information.
Beyond regulations: recommendations from the industry
In addition to knowing the regulations, it is very useful to observe what professional organizations and industry standards are doing, as they often offer practical guidelines that help to implement data protection on a day-to-day basis.
One example is the Payment Card Industry Data Security Standard (PCI DSS), an international framework designed to protect credit and debit card information. Although it is primarily aimed at companies that process, store or transmit card data, its principles can be a benchmark for best practice applicable to any sector that handles personal data. The standard is developed and maintained by the Payment Card Industry Security Standards Council (PCI SSC), a body formed by leading payment card companies, which aims to improve the overall security of account data through standards, training and support programs that promote awareness and effective enforcement of safeguards.
The PCI DSS standard establishes a series of technical and operational requirements (specifically, 12), organized into 6 sections called "control objectives":
- Develop and maintain a secure network: use of firewalls, avoiding passwords or other parameters provided by vendors.
- Protect stored data: Apply encryption or other techniques to prevent unauthorized access, ensuring that card data travels over public networks securely.
- Maintain a vulnerability management program: Keep software (antivirus and other necessary systems) up to date and protected from vulnerabilities.
- Implement robust access control measures: limit access to data to authorized personnel only, assign a unique ID to each person who has access, and restrict physical access to data.
- Regularly monitor and test networks: track and control access (record activities, review logs and detect anomalies), also performing periodic security tests that apply to systems and protocols, such as vulnerability analysis.
- Maintain an information security policy: Establish clear rules and guidelines to protect an organization's information assets.
In the end, protecting personal data is not only a legal obligation, but a shared responsibility that defines trust in the digital environment. Knowing the regulations, relying on specialized institutions and adopting recognized standards allows organizations to build safer and more people-friendly systems.
