Skip to Content
Business Trends
Author's profile photo Thomas Frenehard

GRC Tuesdays: What is Sensitive Information?


In response to a recently released GRC Tuesdays post (Reducing the (Cyber) Attack Surface) I received a comment from my esteemed colleague of mine, Bo Baade-Pedersen, who leads GRC & Cybersecurity in EMEA-South for SAP: “very nice insights and good blog […] But what data to protect and consider, and for companies to be able to classify this data accordingly as well as setting up the right measures for protection, proves a challenge to many”.

And Bo was right as usual. My previous blog completely missed this crucial aspect. If one doesn’t know what to protect, then how can they? Not all data is sensitive so not all data requires the same level of protection. Considering otherwise has an incredible cost, and also prevents the business from running smoothly as it introduces many unnecessary security layers.

As a result, and in response to Bo’s comment, I decided to write a short blog on what is usually considered “sensitive information” that would warrant data protection obfuscation, masking mechanisms or other security processes.

In summary, “sensitive information” is the one that needs to be protected from unauthorized access and relates to personal information, business information or government classified information. So I decided to address each of these pillars individually and provide some examples.

Since “sensitive information” doesn’t have the same definition everywhere, I tried to approach by:

    • Regulatory requirements => after all, this is a compliance requirement in many geographies – specifically for data privacy and protection legislation
    • Industry => because each sector will have its specificities and shared areas of protection concerns
    • Company specific => because some information might not be critical from a regulator point of view, but pretty strategic from your company’s perspective


A regulatory definition of personal information


I could have selected any number of data protection legislative frameworks here, of course, but I decided to limit myself to the ones that I hear most often from customers. Apologies in advance if your favourite legislation is not mentioned below, there are simply too many of them!

They all have one thing in common: their intent is to protect “personal information”. But some also have a more specific definition when it comes to “sensitive personal information” so I thought I would call it out when applicable.

Regulation Definition
Australian Privacy Act (Privacy Act) The Privacy Act provides a broad definition of “personal information” as “information or an opinion about an identified individual, or an individual who is reasonably identifiable”. It then further defines “sensitive information” as:

  • information or an opinion about an individual’s (racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual orientation or practices; criminal record)
  • health information about an individual
  • genetic information about an individual that is not otherwise health information
  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification; and/or
  • biometric templates
California Consumer Privacy Act (CCPA) As per the CCPA, “personal information” is “information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics

Personal Information Protection Law of the People’s Republic of China (PIPL)


According to the PIPL, “personal information” is “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons”. This therefore includes but is not limited to names, birth dates, national identification numbers, biometric information, contact details, etc.

As the Australian Privacy Act mentioned above, the Chinese legislation then further details “sensitive personal information” which it refers to as “personal information that, once disclosed or illegally used, may easily cause grave harm to the dignity, personal, or property security of natural persons, including information on biometric characteristics, religious beliefs, specially designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14

Lei Geral de Proteção de Dados Pessoais (LGPD) LGPD defines “personal data” as “information regarding an identified or identifiable natural person” and defines “sensitive personal data” as “personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or life, genetic or biometric data, when related to a natural person
General Data Protection Regulation (GDPR) GDPR defines “personal data” as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. In addition to “personal data”, GDPR also mentions “special categories of personal data (also known as sensitive personal data)” which include “genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership”.


And industry perspective of business information


Every sector has its “secrets” that it needs to protect, some from general knowledge of members of the public and others from competitors, so I have selected some of the examples I considered most illustrative. I am sure you will have others in mind and if so, please feel free to add them in the comments to this blog:

Industry Example of sensitive information

Energy and Natural Resources

  • Exploration data: precise site locations and findings for extraction potential are clearly areas where information needs to be protected since it constitutes a competitive advantage
  • Plant maps: there have been instances where plants have been physically targeted to impact production, precise maps with location of key parts could be considered very sensitive
  • Production trends: who really wouldn’t want to know the future trends for extraction of crude oil?

Service Industries

  • Contract terms for new transport vessels (ships, planes, etc.): think of the major air shows for instance and the announcements by the manufacturers of new customers. They are usually pretty generic announcement and rarely disclose precise financial terms of course
  • Blueprints: if you watched the show  Designated Survivor, then you know that the blueprints in construction – especially for buildings that hosts exposed organizations, companies or that is accessible by the people – should definitely be protected!

Consumer Industries

  • Recipes: you know, like the recipe of the special sauce for the famous chain with golden arches, or the recipe for the soda that goes with it
  • Research data on new molecules or processes: need I remind here the R&D effort for COVID-19 vaccines around the world, results of clinical tries, etc. that were under heavy scrutiny from health experts, regulators and members of the public? Leaked data was straight away utilized to credit or discredit the pharma companies

Discrete Industries

  • Product designs: like for the air shows, the car and high-tech trade shows are key events where new products – and prototypes – are unveiled. Before they are presented publicly, their design and technical capabilities are usually considered confidential
  • Drawings, photographs, plans, instructions or documentation: for Aerospace and Defence which falls under this industry, any of these assets could be sensitive, especially if they relate to technical data

Financial Services

  • Trading methods: in theory, all trading desks have access to the same public information so should perform equally. But many have developed their own trading methods and tools, this can include the risk appetite and trading algorithms and protect this in-house secret
  • Model for capital requirement: for financial institutions following Basel Committee on Banking Supervision’s Supervisory Guidelines, developing an internal risk model can be considered a competitive advantage and as such would be an information not to be disclosed outside of selected stakeholders

Public Services

  • Government classified information: I don’t think I need to detail much more here! It’s any material that has been classified by a governing body and that needs a formal security clearance for access


A company specific definition


But that is not all, oh no, that is not all! In addition to regulatory requirements and industry practices, there are also organizational-specific data that needs to be protected.

These can take multiple forms and the best approach, in my experience, is to align with the business process owners and ask them directly what data they feel would be damageable if made available to non-authorized parties.

Trade secrets, intellectual property and in-house know-how are of course clear candidates here.

But so is financial information until such time as it has been disclosed. Especially for publicly traded companies.

Content of non-disclosure agreements can also be very sensitive, especially if they relate to ongoing negotiations, joint development of products or service offerings.

And for software vendors – like SAP – roadmap information before it’s released is, of course, information to protect.

Of course, I am not suggesting that this is an exhaustive list or definition, but I hope that this blog will be helpful in your thought process on what needs to be protected.

What about you, how does your company define “sensitive information” that requires additional protection layers? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard


Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.