12 February 2020
The word "processing" appears in the EU General Data Protection Regulation (GDPR) over 630 times. The law features seven "principles of data processing." It requires companies to ensure the "resilience of processing systems." It even proclaims that "the processing of personal data should be designed to serve mankind."
Processing personal data is what the GDPR is all about. But have you ever stopped to consider what "processing" actually means?
The easy answer is that processing means "everything." It's hard to imagine an action you could take in relation to personal data that wouldn't qualify as "processing" it. But for anyone who really wants to understand their obligations under the law, this answer won't be enough.
Let's take a detailed look at the sorts of activities that count as processing under the GDPR.
The definition of processing appears at Article 4(2) of the GDPR:
"'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means [...]"
This definition is clearly designed to be as broad as possible. It's followed by a non-exhaustive series of examples.
"collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction"
That covers just about everything you could conceivably do with personal data. This definition applies regardless of whether the personal data exists on paper or electronically.
We're going to take a detailed look at some of these methods of processing, consider some examples of how you might engage in them, and how they might apply in practice in relation to the GDPR's requirements.
Before we look at "processing," it's worth briefly defining "personal data."
Just as the definition of "processing" in EU law is extremely broad, so is the definition of "personal data."
Here's part of the definition of personal data Article 4(1) of the GDPR:
"'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier "
So, personal data is any information that relates to an identifiable person. The GDPR is a little short on examples, but this is always interpreted very broadly.
Here are some examples provided by the European Commission:
Collection is one of the types of processing that features most heavily in the GDPR.
The GDPR uses the term "collect" to refer to the practice of getting personal data directly from a data subject. It uses the term "obtain" to refer to the practice of receiving personal data from a third party.
There are many reasons that you might collect personal data from a person, for example:
Don't collect personal data that you don't need. "Data minimization" is a crucially important principle under the GDPR, and can also make you less susceptible to data breaches,
Recording isn't formally defined in the GDPR, and can take on a few different meanings.
Under Article 30, businesses who have over 250 employees, engage in "non-occasional" data processing, or any amount of processing of special category personal data, are required to keep records of their processing activities.
However, these records are likely to be generic in nature. So this, in itself, would not constitute the processing of personal data.
Some examples of how "recording" might constitute the processing of personal data include:
If you've earned someone's consent to process their personal data, you must be able to demonstrate that you have done so.
The Information Commissioner's Office (ICO), the UK's Data Protection Authority, suggests recording the following information so that you can demonstrate consent:
When you create a record that could, either alone or when combined with other information, reveal something about an identifiable person, this record constitutes personal data. Therefore, you need to treat it with an appropriate level of security.
We'll be looking at the secure storage of personal data below. Just remember that your obligations in this area also apply to personal data that you have "created" through your recording.
The GDPR lists the "organization" and "structuring" of personal data as two separate means of processing. Again, there is no clear explanation of these terms in the text of the GDPR.
Some examples of activities that might constitute the organization or structuring of personal data include:
Organizing and structuring the personal data within your company's system is not to be discouraged. In fact, it is important for several reasons, for example:
The GDPR primarily demands that you keep data secure in order that it cannot be accessed without authorization. But it also requires that you keep personal data well-organized and accessible to those who require access to it.
An important step in becoming GDPR-compliant is conducting a data audit. This should involve identifying:
Getting a handle on your records and databases is essential.
Storage is another important example of data processing that features heavily in the GDPR.
Some examples of storage of personal data include:
The GDPR specifically mentions two methods of storing personal data securely - pseudonymization and encryption.
These two measures are often conflated, but there is a difference.
Where personal data has been pseudonymized or encrypted, it must still be treated as personal data. However, there are significant advantages to using pseudonymized or encrypted data. For example, if encrypted personal data is lost during a data breach, you may not be required to inform the affected individuals that this has occurred.
Full disk encryption is a way to securely store personal data. This method encrypts everything contained on a disk - including any personal data.
Here are some full disk encryption facilities available for some common operating systems.
It's worth considering whether full-disk encryption might be an appropriate secure storage system within your company.
Alteration is a an important way of fulfilling the GDPR's principle of accuracy. You might be required to "alter" personal data for a number of reasons, for example:
Wherever you have made an alteration to personal data, it is usually best to keep a record to this effect.
The GDPR allows individuals to exercise the "right to rectification." This means that if a person believes there to be an error in your record of their personal data, they have to right to request that you alter the personal data in order to rectify it.
Where receive such a request you must normally act on it within one month. You may not normally charge the individual and instead must honor the request for free.
If you're sure that the personal data is not inaccurate, you may have grounds to refuse the request.
If you run a website which allows people to set up an account, you should aim to offer them maximum direct control to make alterations to the personal data associated with their account.
This will save you work in the long-run, as you'll be less likely to receive requests for rectification or deletion of their personal data.
Here's Instagram's "Edit Profile" screen. Consider that all these options can qualify as "personal data" in this context.
A screen like this gives your users maximum control over their data, which helps them instantly make changes they wish to make without needing to request you do so for them.
The "disclosure by transmission" of personal data can include the sharing of personal data with other companies. But it can also apply to the transmission of personal data within your organization.
Here are some situations in which you might disclose personal data by transmission:
Personal data should always be transmitted securely, so as to avoid interception. There are a number of ways to ensure security during transmission within your company, for example:
You may need to share personal data with another organization so that they can process it on your behalf. For example, you might share personal data with companies that provide:
Such companies are known as "data processors." The terms of transmitting personal data to such companies, and of their subsequent processing of that personal data, must be set out in a contract known as a Data Processing Agreement.
You may only use data processors that can demonstrate their compliance with the GDPR.
Erasure and destruction of personal data is a necessary part of complying with the GDPR. As we've seen, the principle of storage limitation requires that you erase personal data that you no longer need.
Here are some examples of when you might erase personal data in your possession:
Under the GDPR, individuals have the right to request that you erase any personal data you hold on them. This is known as the "right to erasure," or sometimes the "right to be forgotten."
This is not an absolute right, and it may be appropriate to refuse under certain conditions.
When someone requests that you erase their personal data, it's best to explain the implications of this. Here's an example from Facebook:
Users are told that information like photos, videos and posts will be irretrievable and permanently gone, but that some information, like sent messages, will be stored in the recipient's inbox.
One of the GDPR's principles of data processing is storage limitation. You must not store personal data for longer than you need it in connection with a specified purpose.
This means that you should schedule regular points at which different categories of personal data are erased.
It is important to be able to justify how long you keep each type of personal data you store. This might involve drawing up a Retention Schedule, which clearly sets out your storage periods.
Here's an excerpt from the ICO's Retention Schedule:
Note how it includes how long something will be retained for, what action will occur after that time period, and who owns the information asset at the moment.
We've seen that "processing" really can mean doing anything with personal data - even if that means just letting it sit in filing cabinets or servers.
Here are some important things to consider in connection with your company's data processing practices:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.