In this article

Sign up for our newsletter

Share this article

It isn’t always easy for non-privacy experts to understand the point of all these data privacy regulations—surely, we’re all used to the idea that our data is up for grabs?  

But things usually become clear for the layperson when it’s pointed out that there’s certain information they don’t want to be shared with anybody except for those people who absolutely need it and can be trusted to safeguard it. To protect this category of personal information, many data privacy regulations have the concept of sensitive personal information. 

Let’s explore what exactly comprises sensitive personal information, why organizations need to treat it with care, and how they can discover that data to meet their compliance obligations. 

First Things First: What Is Sensitive Data? 

Sensitive data, or sensitive personal information, is a legal category of personal data that receives an additional level of protection from data privacy regulations. Violations associated with sensitive data tend to carry higher penalties as well. 

Different data privacy laws have different specific definitions of sensitive personal information. Broadly, personal information can be considered to be sensitive if its exposure could result in: 

  • Harm to the data subject with whom it is associated. 
  • Discrimination 
  • Stigmatization.  
  • Identity theft.  
  • And so on. 

So, your first and last name wouldn’t be considered sensitive personal information on its own—there isn’t too much harm somebody can do with the knowledge that “John Smith” exists. But if John Smith were to submit a DNA sample to a genealogy service, that data would be extremely sensitive. Mr. Smith would be very concerned if he discovered that this genealogy service sold his genetic data to some third party—perhaps to a data broker, a law enforcement database, or a mad scientist building an army of clones. 

The CPRA defines sensitive personal information as: 

Personal information that reveals: 

  • A consumer’s social security, driver’s license, state identification card, or passport number. 
  • A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. 
  • A consumer’s precise geolocation. 
  • A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership. 
  • The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication. 
  • A consumer’s genetic data. 

The processing of biometric information for the purpose of uniquely identifying a consumer. 

Personal information collected and analyzed concerning a consumer’s health. 

Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

Rather than “sensitive personal information,” the GDPR instead defines “special categories” of personal data. In essence, the two terms mean the same thing. Here’s how the GDPR defines special categories of personal data: 

... personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. 

What Is Sensitive Data Discovery? 

Simply put, sensitive data discovery is the process of discovering where you collect, store, process, and transfer sensitive personal information. 

Odds are, your organization holds sensitive personal information in more places than just your CRM or email inbox. Your organization might: 

  • Use vendors that collect sensitive personal information. Another team may have onboarded a vendor that collects sensitive personal information without informing the rest of the business. (That’s especially likely if the vendor or tool is “free”). 
  • Collect the same sensitive personal information from the same individual across multiple channels, but store copies of that data in separate places. 
  • Develop mobile apps using software development kits (SDKs) that funnel personal information to the SDK developer or other third parties. 

All this is to say, no matter how confident you are that you understand where and how your organization collects information, the only way to be certain is to map your data and discover stores and sources of sensitive personal information.  

Why Do You Need Sensitive Data Discovery? 

Unsurprisingly, sensitive data needs a higher level of protection. That’s why data privacy laws tend to regulate sensitive data and penalize violations involving sensitive data at higher levels. 

For example, the CPRA requires businesses to limit their use of sensitive personal information (upon the consumer’s request) to only that which is necessary to provide the goods and services that the consumer expects. If the consumer submitted this request, then activities like sharing or selling that data with other parties are not permitted. 

In GDPR rulings, the Court of Justice of the European Union (CJEU) has historically penalized cases involving special category violations at a higher rate. In fact, many of the highest penalties on the books involve special category violations. 

So, businesses need sensitive data discovery for two chief reasons: 

  1. To identify all sensitive data processing activities at their organization to ensure those activities are compliant. 
  2. To reduce their organization’s overall sensitive data footprint. You may be collecting sensitive data—which is equivalent to collecting risk—unnecessarily. 

How to Approach Sensitive Data Discovery 

There is a wide range of sensitive data discovery tools and approaches out there, some of which are more or less suitable depending on your circumstances. 


As always, there is the manual approach: You could work with your IT, procurement, and finance teams to catalog a list of each system where sensitive personal data might be stored in your organization, and working out of a spreadsheet, contact the owners of those systems and request the necessary information to confirm or establish compliance.  

Just reading that probably felt exhausting—not only does all that manual data entry invite error, but you’re also bottlenecked by multiple external stakeholders, and reliant upon others’ understanding of data privacy compliance and sensitive personal information. What’s more, you’ll need to repeat this process on a regular basis. After all, your organization isn’t going to use the same tools for all eternity, and it isn’t going to process personal data in the same way forever either. 

With Data Governance Software 

Rather than take the manual approach, you could use a sensitive data discovery software solution. 

These will result in more accurate, comprehensive, and sustainable discovery. However, there is still a wide range of solutions out there, and given the prices you may have to pay for a solution, it’s important to identify the right one for your unique circumstances. 

Many sensitive data discovery tools are not designed with data privacy compliance in mind; rather, they’re part of a larger data governance and IT management platform. Especially large and complex organizations will still benefit from such platforms, but they won’t really solve for data privacy compliance, even if they have the capability to do so. 

That’s because these tools are managed by the IT team rather than a privacy professional—meaning any tasks that a privacy pro wants to accomplish using the tool will be bottlenecked by IT’s other priorities.  

A way around this issue is to get the privacy professional an account and train them on the tool. Unfortunately, these multi-purpose data governance tools tend to be highly complex (not to mention that extra accounts tend to be expensive). Given that a privacy professional only needs to use such tools for a limited range of tasks, training can feel like an undue burden on top of their other compliance duties. 

With Osano 

Fortunately, there are privacy-focused sensitive data discovery tools, like Osano. 

This class of solutions is either a point solution to data discovery for the purposes of data privacy compliance or is a tightly integrated platform of compliance solutions (including data discovery) that a privacy professional will benefit from. Osano takes the latter approach. 

Osano Data Mapping integrates with your organization’s Single Sign On (SSO) provider and discovers connected systems. Then it scans systems likely to contain personal information, assigns them a risk score based on a number of criteria like types of data fields and number of vendor flows, and surfaces them to the user for investigation. Any systems that live outside of your SSO can be easily mapped using an automated workflow that keeps external stakeholders alert to any outstanding tasks. 

In this way, a privacy professional can discover sensitive data, but Osano also enables them to conduct the ensuing tasks that actually enables compliance. Osano Data Discovery and Subject Rights Management can surface an individual’s data (sensitive or otherwise) for DSAR fulfillment; Osano Assessments can generate a RoPA from discovered data; and other modules in the platform can interact with your data map in a variety of ways to support your organization’s compliance. 

If you’re looking for a privacy-focused approach to discovering and managing your organization’s sensitive personal information, consider scheduling a demo of Osano today. 

Schedule a demo of Osano today

Privacy Program Maturity Model

Seeking to establish or level up your privacy program? Find out where your biggest gaps lie, what next step to take, and what maturity level you've attained with this guide.

Download Now
Privacy maturity model
Share this article