Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Does Special Category Data Include?
- Why Is Special Category Data Treated Differently?
- When Might My Business Hold Special Category Data?
- Do I Need a Lawful Basis and a Special Condition?
- What Happens If I Get This Wrong?
- How Do I Make Sure My Contracts and Policies Cover Special Category Data?
- Are There Extra Steps for Health, Education, or Tech Businesses?
- What Should I Do If I Have a Data Breach Involving Special Category Data?
- Who Can I Talk To For Help With Special Category Data Issues?
- Key Takeaways: Special Category Data Includes and Compliance Essentials
If you’re running a business in the UK, understanding your legal obligations around data protection isn’t just a box-ticking exercise-it’s the foundation for building trust with your customers and avoiding costly fines. But there’s one area in data protection that’s especially important, and often misunderstood: special category data.
If your business handles any information that falls within this category, you’ll need to know exactly what “special category data includes”, how it’s different from ordinary personal data, and what you need to do to stay compliant (and protected from day one). In this guide, we’ll break down the essentials for UK SMEs, making sure you know the key steps, risks, and best practices-so you can get on with growing your business confidently.
What Does Special Category Data Include?
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, personal data comes in a few different "flavours." Most of it relates to everyday information, like names, addresses, or emails. But special category data includes types of personal information that are considered particularly sensitive, and therefore need a higher level of protection.
Special category data includes:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (for identifying a person)
- Health information
- Sex life or sexual orientation
If your business processes any of the above, you’re handling special category data-and specific legal rules kick in, so keep reading to see what this means for you.
Why Is Special Category Data Treated Differently?
You might be wondering: why all the extra fuss? The reason is that if this kind of data got into the wrong hands, it could cause real harm or discrimination to the people involved. For example, health data could be misused by insurers or employers, or biometric data could be used for identity theft.
This is why the UK GDPR doesn’t just treat all personal data equally-it adds extra hurdles and stricter safeguards if you’re handling special category data. So, unlike standard personal data, you can't just process, use, or store this information the same way.
When Might My Business Hold Special Category Data?
You don’t need to be running a hospital or political campaign to collect this type of data. In fact, lots of everyday UK businesses might process special category data without even realising it. Here are a few example scenarios:
- Recording employees’ health details for sick leave, maternity or disability accommodations
- Using fingerprint or facial recognition systems to grant staff access to your premises (biometric data)
- Collecting information on clients’ religious beliefs to cater for dietary requirements at an event
- Handling equal opportunities monitoring data relating to ethnicity or sexual orientation
- Membership forms asking about union affiliations
If any of this sounds like your business, you’re processing special category data-and need to set up the right legal protections straight away.
Do I Need a Lawful Basis and a Special Condition?
This is where most businesses get tripped up. To process ordinary personal data, you need a lawful basis (such as consent, contract, legal obligation, vital interests, public task, or legitimate interests).
But for special category data, you need one of those lawful bases plus an extra condition listed in Article 9 of the UK GDPR.
Some common “special conditions” for processing special category data include:
- Explicit consent from the data subject (must be clear, specific, and separate from other consents)
- Employment, social security and social protection law (e.g. ensuring safe workplaces, complying with disability laws)
- Vital interests (when it’s necessary to protect someone’s life, and they can’t give consent)
- Legal claims (processing needed for the establishment, exercise or defence of legal claims)
- Public interest (substantial public interest reasons, subject to further conditions)
- Health or social care (covered under professional secrecy or for preventive/occupational medicine)
This can get complicated very quickly. The golden rule? Don’t collect or use special category data unless it’s truly necessary for your legitimate business purposes, and always make sure you identify both a lawful basis and an extra special condition before you do anything with it.
If you’re unsure, getting advice from a data privacy lawyer is the safest option.
What Are My Obligations When Handling Special Category Data?
Because special category data includes highly sensitive information, your legal duties go above and beyond the basics. Here’s a breakdown of what you’ll need to take care of:
1. Enhanced Security Measures
You’re required to have higher security standards compared to regular personal data. This often includes:
- Limiting access to only those who “need to know”
- Encrypting data, both in storage and transmission
- Extra authentication (like two-factor logins)
- Frequent password changes and access reviews
- Physical security for paper records
A data breach involving special category data can be far more serious-so don’t cut corners on security.
2. Privacy Notices and Consent
Your Privacy Policy (or Privacy Notice) needs to clearly spell out when and why you collect special category data, what you’ll do with it, and the condition you’re relying on.
If you’re relying on consent, it must be:
- Freely given
- Explicit (not bundled in with other consents)
- Specific and informed
- Documented so you can prove it
You’ll also need processes for handling questions, withdrawal of consent, or subject access requests involving this data. Check out our guide to data processing agreements to ensure your consent methods are watertight.
3. Data Minimisation
Only collect what you genuinely need. This means minimising:
- The amount of special category data gathered
- The number of people with access
- How long you keep it (with defined data retention periods)
Don’t just “hold onto it in case”-that’s a fast way to get on the wrong side of the ICO.
4. Data Protection Impact Assessments (DPIAs)
If you plan to process special category data on a large scale, or in a way that poses high risks to people’s rights (such as health data in a medical app or biometric data in workplace access), you’ll probably need a Data Protection Impact Assessment (DPIA).
This means systematically examining your processing activities for privacy risks and documenting
- Why you’re collecting it
- The lawful basis and special condition
- Any potential risks and how you’re mitigating them
If you’re not sure if a DPIA is needed, it’s best to ask a privacy specialist.
5. Record Keeping and Accountability
The UK GDPR says you must be able to demonstrate compliance-especially with special category data. That means keeping detailed records of:
- What data is processed and why
- Who has access
- Decisions about lawful bases and special conditions
- Consent records (if relevant)
- Security and breach procedures
This is often called “accountability”-and if the ICO comes knocking, these records are your best defence.
What Happens If I Get This Wrong?
Mishandling special category data carries serious risks for your business. Fines for breaching the UK GDPR or the Data Protection Act can reach millions of pounds, especially if sensitive information is leaked or misused.
But even beyond regulatory penalties, a data breach or mishap could destroy your reputation and erode trust with customers and staff. In some cases, individuals can even claim compensation for mishandling their data.
The bottom line? Treat special category data with extra respect, and make sure your business is covered.
How Do I Make Sure My Contracts and Policies Cover Special Category Data?
It’s crucial to have legally robust contracts and privacy tools in place-especially if you use third-party service providers, cloud storage, or other businesses to process or store special category data on your behalf. Here’s what you need:
- Privacy Policy (explicitly mentioning special category data, purposes, and your lawful basis/special condition)
- Data Processing Agreement for processing or storing data with outside providers (making sure they stick to the required security and confidentiality standards)
- Data Retention Policy to clarify how long you’ll keep this data and how you’ll securely delete it
- Data Breach Response Plan to ensure you can act (and notify the ICO) quickly in case something goes wrong
Avoid using generic templates or DIY solutions. These documents need to be tailored-so your business is protected, and so you can demonstrate compliance in case you’re ever challenged. Our team can help you create bespoke documents built for your industry and risk profile.
Are There Extra Steps for Health, Education, or Tech Businesses?
While every UK employer or business owner must comply with the above, certain sectors must be even more rigorous:
- Health and Social Care: The rules for patient data are even stricter (including the NHS Data Security & Protection Toolkit), and breaches here almost always need to be reported.
- Education: Schools, colleges, and universities regularly process health, ethnicity, and needs-related information for minors-often triggering additional duties.
- Tech/Apps: Any business building digital tools that process biometric, health, or location data (think fitness trackers, HR software, or access control apps) must build privacy and security in from day one.
If your business is in one of these industries, or planning to move into them, check out our guides to GDPR compliance in schools and cybersecurity policies.
What Should I Do If I Have a Data Breach Involving Special Category Data?
If you experience a personal data breach that affects special category information-such as emails, text messages, lost paperwork, or a hacked database-you have even stronger duties under UK law:
- Assess the breach, identify what types of data and how many people are affected
- Notify the ICO within 72 hours, if there is a risk to people’s rights or freedoms
- Inform the affected individuals if there is a high risk of harm
- Document everything, including your response plan and remedial actions
The ICO has strict guidelines on reporting and consequences. Check out our guide to GDPR breach reporting for the essential steps.
Who Can I Talk To For Help With Special Category Data Issues?
Let’s be honest-data privacy, especially when it comes to special category data, is a regulatory minefield. That’s why it makes sense to talk to an expert before you collect, use, or share any sensitive information.
Whether you need an audit, new privacy contracts, or help handling a tricky data subject access request, our team of friendly legal professionals is here to guide you step-by-step, so you can focus on running your business with confidence.
Key Takeaways: Special Category Data Includes and Compliance Essentials
- Special category data includes sensitive information like health, biometric, and ethnicity data-it needs extra protection under UK GDPR and the Data Protection Act 2018.
- You can’t process special category data unless you have both a lawful basis and a special condition (such as explicit consent or a legal obligation).
- You must set up higher security measures, clear privacy notices, and robust contracts for anyone handling this data on your behalf.
- Only gather what you need, keep records of your decision-making, and delete special category data securely when it’s no longer needed.
- Certain sectors (health, education, tech) have even stricter rules, and large-scale processing often requires a DPIA.
- If you suffer a breach involving special category data, you must notify the ICO quickly and be ready to show what steps you took to prevent and address it.
- Don’t leave it to chance-get tailored legal advice and set up the right contracts and policies from day one.
If you’d like help reviewing your contracts, Privacy Policy, or data handling processes, get in touch for a free, no-obligations chat at 08081347754 or team@sprintlaw.co.uk. We’re here to make sure your business is protected, compliant, and ready for growth from the start.
