GDPR: special categories of data need special care

The new General Data Protection Regulations (GDPR) which come into effect on 25 May 2018 include special categories.

When the regulations are in operation they will do much to rebuild individuals trust in organisations to take proper care of their data especially the right to correct and retract data.

At its heart GDPR aims to embed the principles of data protection throughout the workplace culture. This fundamental mind shift by everyone in the organisation includes:

  • proactively demonstrate compliance – this means designing compliance, protection and privacy into every stage
  • timely and accurate maintenance of records
  • more stringent rules and shorter time frames for the reporting of data breaches

GDPR needs to be at uppermost in the minds of everyone involved in using personal data whether it relates to employees or other people. It’s also worth noting personal data includes all information stored and processed by your organisation: opinions as well as facts.

Special categories of data about racial or ethnic origin, sexual life, physical or mental disability, political opinions, religious or similar beliefs, trade union membership, genetic and biometric information require additional care and protection under GDPR. Consent on its own is unlikely to provide a basis for most data processing in the future.

Proactively protecting personal data and maintaining records about that data is everyone’s job, not just HR’s. What about discussions boards on your intranet and internet? Or notes taken by interviewing managers and mentors? Or CCTV footage? Or biometric data held in access devices and company mobile phones?

For example, how extensively have you explored the measures you or your third party service provider have in place for equality or diversity monitoring? GDPR requires that if we use a third party to gather, process, store and maintain data on our behalf, that we ensure the third party complies with GDPR requirements. However well-intentioned your equality / diversity monitoring may be and regardless of whether your organisation or your third party service provider does the monitoring, the data is subject to GDPR and your organisation is responsible for ensuring any additional compliance, protection and privacy controls which are required are in place and adequate.

Employees have a genuine choice about whether or not to provide equality / diversity monitoring information. There should not be any adverse consequences for those who choose not to provide it. Employees can withdraw that consent and ask for their data to be erased at any time.

GDPR does not apply to data gathered and processed on an anonymous basis – provided no individual can be identified by the data or when the data is combined with other information.

Equality and diversity monitoring are permitted under GDPR but some data requires additional care. Understanding the requirements of the regulations and designing these into your approach will safeguard your organisation and staff and encourage individuals to confidently share personal information.

Blog by Jo Strain
CMI Southern Inclusion Champion and CMI Women Lead

This blog is provided in good faith to highlight diversity and inclusion aspects of the new data regulations. It is not expressing or should be relied on as legal advice.


> Information Commissioners Office Guide to GDPR
> GDPR: Ten easy steps all organisations should follow
> Inclusive Employers GDPR Fact sheet: How will the GDPR impact your diversity monitoring?