Special category data is the more sensitive kinds of personal data that the UK GDPR singles out for extra protection. If your business handles any of it, you need an additional condition to process it, on top of your ordinary lawful basis. Most small businesses touch special category data less than they fear, but it's worth knowing what counts and what to do when you do.

This guide explains what special category data is, why it's treated differently, the extra condition you need, and how to handle it proportionately.

What counts as special category data?

The UK GDPR lists specific types of data as special category:

• race or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data, and biometric data used to identify someone
• health data
• data about a person's sex life or sexual orientation

Information about criminal convictions and offences isn't technically on this list, but it's treated with the same care and has its own rules. Everything else, such as names, contact details, and purchase history, is ordinary personal data.

Why it gets extra protection

These categories carry a higher risk of harm if they're misused, whether discrimination, distress, or worse. That's why the law asks for more than a lawful basis before you process them, and why a casual approach is harder to defend. The point isn't to make the data untouchable. It's to make sure you've actually thought about it.

The extra condition you need

To process special category data you need two things: a lawful basis under the ordinary rules, and a separate condition specifically for special category data. Common conditions include the person's explicit consent, processing necessary for employment obligations, and processing in the substantial public interest. Some of these also require you to have a short policy document describing how you handle the data. The practical message is simple: you can't rely on legitimate interest alone here, so identify the right condition before you start.

Where small businesses usually meet it

For most small businesses, special category data shows up in a few predictable places: health information for sick leave or workplace adjustments, dietary or accessibility needs for events, and equality monitoring. In each case the data is usually limited and the condition is straightforward, as long as you recognise what you're holding and treat it accordingly.

How to handle it proportionately

Find it first: your data map should flag where special category data lives. Then pick your condition, limit who can see the data, keep it only as long as you need it, and write down the policy where one is required. None of this needs to be heavy, but it does need to be deliberate. If you're choosing a lawful basis at the same time, our guide to legitimate interest explains why it isn't enough on its own for this kind of data.

Special category data is one part of the wider picture in our guide to GDPR for small businesses. If you'd like help identifying and handling it correctly, our GDPR compliance service covers it as part of mapping your data.