Skip to content

Data Sensitivity: What You Need to Know For Your Business

If you are a business, big or small, you have a responsibility to protect your data. Indeed, that is where data sensitivity comes in. Indeed, you need to protect your sensitive data from unauthorized disclosure or being inadvertently destroyed. To explain, this article sums up for you, who decides what data is sensitive, the different levels of data sensitivity, applicable data protection laws to consider, and examples of data that is sensitive (PII, sensitive data, confidential data, etc.). 

Business Leaders Decide What Data Is Sensitive And What Is Not.

If you own or store data as part of your business, you are the ultimate decision-maker on how sensitive this data is. Specifically, you need to decide what is sensitive data as defined as “information that must be protected against unauthorized disclosure”. Moreover as part of determining data sensitivity, you need to take into consideration  applicable laws and security expert’s advice. Even so, this is not something that can be delegated to a security consultant because you are the owner of the data.

Need For A Risk Assessment To Determine Data Sensitivity Levels.

Bogachev Hacks Your Data - Data Sensitivity:
Bogachev Hacks Your Data

Every business needs to know the risks if their data is either leaked or destroyed. Consequently to know your risks, every business and organization needs to conduct a data risk assessment. Specifically, a risk assessment will help you classify the sensitivity level of your data. Also, by doing this assessment you will be able to determine your risk mitigation actions. Below is an example of data sensitivity levels that an organization could establish to classify their data.

  • High Sensitivity Data. If this data was leaked or destroyed it would have a catastrophic impact on the organization or individuals. For example, financial records, intellectual property, authentication data.
  • Medium Sensitivity Data. This data is intended for internal use only. If destroyed or leaked, it does not have a catastrophic impact. For example, emails and documents with no confidential data.
  • Low Sensitivity Data. This data is intended for public use. For example, public website content.

See Imperva’s Data Classification for more on classifying data and SecurityScoreCard’s What is Sensitive Data And How Do You Protect It?

What Applicable Laws Govern The Classification of Data Sensitivity.

The amount of data in the world is exploding. Therefore, businesses as well as organizations are grappling with how they store data or transfer it over the internet. Another wrinkle with you determining data sensitivity, is you have to pay attention to applicable laws. Subsequently, there is now an increasing body of laws that define the sensitivity of data and how data owners have to protect their data.

Depending on your type of business and where it is located, will determine which data protection laws are applicable. Also, there are data protection laws and guidelines that you or your customer may elect to follow. For example, some large businesses and industry groups have higher levels of data protection standards. Therefore, they in turn require their vendors and suppliers to comply or they will sever the business relationship. To list, below are a few of the most influential data protection laws:

  • Gramm–Leach–Bliley Act (GLBA). U.S. financial institutions must disclose how they share and protect their customers’ private information.
  • Health Insurance Portability and Accountability Act (HIPAA). U.S. health providers must take adequate steps to protect patients’ Personal Health Information (PHI).
  • Family Educational Rights and Privacy Act (FERPA). U.S. educational institutions must have the consent of students over 18 years old to release records such as schedules, transcripts, and disciplinary information.
  • General Data Protection Regulation (GDPR). This European Union (EU) data protection standard is a very comprehensive regulation to protect personal data. As a result, many businesses and organizations elect to follow this standard even outside the EU..
  • Payment Card Industry Data Security Standard (PCI DSS): This is an information security standard that tells organization’s how to handle data associated with credit cards.

See Zettaset’s What Is Sensitive Information? And UpGuard’s What Is Sensitive Data? For more details on laws and regulations governing sensitive data

Examples of Sensitive Data.

As data protection laws and standards have evolved, most of these standards and regulations group data under four categories. To list, below are 4 data protection categories you could use with examples of types of data for each category.

1. Personal Identifiable Information (PII).

This type of information can be used to confirm an individual’s identity. This includes:

  • A name and surname
  • A home address
  • An email address
  • An identification card number
  • Location data
  • An Internet Protocol (IP) address
  • The advertising identifier of your phone

2. Sensitive Information.

The EU’s GDPR data protection standard classifies sensitive information as follows:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Data related to a person’s sex life or sexual orientation
  • Biometric data (where processed to uniquely identify someone).

3. Confidential.

This is data that businesses, organizations, and governments use and do not want to expose to other entities. To list, this includes

  • Any document that is classified as restricted, or can be considered a breach of confidentiality.
  • Accounting data
  • Trade secrets
  • Financial statements or accounts
  • Sensitive information in business plans.

4. Normal.

General data that does not belong to any other categories.

See Microsoft’s Classifying Data Sensitivity Fields, ITGovernance’s GDPR: Personal Data Vs Sensitive Data, and Spirion’s How To Determine the Sensitivity of Information for more information on examples of sensitive data.

For more information from Unvarnished Facts on business data and analytics, click here.

Don’t miss the tips from Unvarnished Facts!

We don’t spam! Read our privacy policy for more info.