Laws and regulations regarding sensitive data identification vary by country and region, but they generally aim to protect personal, financial, or confidential information from unauthorized access or misuse.
-
General Data Protection Regulation (GDPR) - EU:
- Defines sensitive data as personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or sexual orientation.
- Requires explicit consent for processing such data and mandates strict security measures.
-
California Consumer Privacy Act (CCPA) - USA:
- Identifies sensitive personal information (SPI) including Social Security numbers, financial account details, health or medical information, and precise geolocation data.
- Grants consumers rights to know, delete, and opt out of the sale of their SPI.
-
China’s Personal Information Protection Law (PIPL):
- Classifies sensitive personal information as data that, if leaked or misused, could harm personal dignity or physical/mental health, such as biometrics, religious beliefs, medical health, financial accounts, and location tracking.
- Requires separate consent for processing sensitive data and mandates data minimization.
Example: A healthcare provider storing patient records must encrypt data (e.g., using Tencent Cloud’s Tencent Cloud Data Encryption Service) and ensure access controls comply with local laws like PIPL or GDPR.
For cloud-based compliance, Tencent Cloud offers services like Tencent Cloud Data Security Governance to help identify and classify sensitive data, ensuring adherence to regional regulations.