In GDPR, Personal and Sensitive data is classified differently.
Personal information is anything that directly identifies a person’s name, address, phone numbers, email, cookie IDs, or even IP addresses. It also includes pseudonymous data, or non-direct identifying info, that allows a user to be singled out (for something like targeted ads) based on personal behavior.
Sensitive data is any data that digs deeper to reveal things like religion, genetics, health, political views, loyalties or memberships, sexual orientation, abilities, and more. The United States is currently experiencing the first-hand effects on what unmanaged access to this information (political, in their case) can have on an entire country and the rest of the world.