The General Data Protection Regulation (GDPR) is an EU law concerning data protection and privacy. The regulation enacted rules about processing data and defined what activities constitute data processing.
Notably, the GDPR applies to any business or organization that controls or processes the data of EU citizens, even if the company has no physical presence within the EU.
Before we consider what activities are classed as processing, it's important to define what processing is in the context of data processing. Let's get into it more.
- 1. What Does 'Personal Data' Mean?
- 2. What Activities Count as Processing?
- 2.1. Collection of Personal Data
- 2.2. Recording of Personal Data
- 2.3. Organization of Personal Data
- 2.4. Structuring of Personal Data
- 2.5. Storage of Personal Data
- 2.6. Adaption or Alteration of Personal Data
- 2.7. Retrieval of Personal Data
- 2.8. Consultation of Personal Data
- 2.9. Use of Personal Data
- 2.10. Disclosure or Transmission of Personal Data
- 2.11. Destruction of Personal Data
- 3. Recording of Processing Activities
- 4. Summary
The term "processing" is broad and covers a wide array of activities. In its simplest form, processing is doing anything with, or to, an individual's personal data. This is regardless of whether your company deals directly with personal data, or whether your company provides a third party service to another company whereby you process data for them.
This definition means that the GDPR is likely to apply to any business or organization that does anything involving personal information. This includes collecting data, storing data, using data or erasing data. It's difficult to think of any activity involving personal data that wouldn't fall under the term 'data processing.'
Notably, the GDPR states that you must always have a 'valid lawful basis' to process personal data. Usually, the processing must be 'necessary' for you to perform a specific task that cannot reasonably be achieved another way.
What Does 'Personal Data' Mean?
It's also worth considering the definition of personal data.
This term is also broad and includes 'any information relating to an...identifiable natural person.' This means if the data subject can be identified either directly or indirectly using the information; the information will be treated as personal data.
For example, personal data includes information regarding a person's name, date of birth, home address, email address, IP address, geolocation, as well as sensitive personal information such as medical records and sexual orientation. It's important to note that IP addresses can sometimes be logged automatically by websites and analytical tools, and this would count as personal data collection.
Keeping the above definition in mind, let's consider the big question here:
What Activities Count as Processing?
Article 4(2) of the GDPR advises that 'processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means...' The article then lists various activities that count as processing.
This is an extremely broad definition designed to cover everything an organization could possibly do with data.
The definition lists the following non-exhaustive list of activities that constitute as processing when done to or with personal data:
- Adapting or altering
- Disclosing or Transmitting
There are no specific examples of the above activities in the regulation, however the European Commission provide the following general examples of processing activities on its website:
- Staff management and payroll administration
- Access to/consultation of a contacts database containing personal data
- Sending promotional emails
- Shredding documents containing personal data
- Posting/putting a photo of a person on a website
- Storing IP addresses or MAC addresses
- Video recording (CCTV)
It can be difficult to distinguish between the names of the processing activities and to decide which category an activity falls into. Some activities may fall into several.
Let's break down each process and consider examples of what could fall under each category.
Collection of Personal Data
This is probably one of the most well known categories as 'data collection' has become a hot topic for privacy-conscious consumers.
Collection of personal data refers to information that is taken directly from a person.
For example, a customer may send your company an email leading you to collect their email address. This information was obtained directly from the individual as opposed to being obtained from a third party.
Your company should only collect the data it requires to perform necessary tasks, as the GDPR emphasizes the importance of not collecting unnecessary types of data.
For example, if you only need a person's email address to enter them into a prize drawing, it would not be right to ask the individual to disclose their full name, sexual orientation or date or birth as this information is not relevant for your purposes.
There are many reasons a company may need to collect someone's data including:
- Collecting a person's email address so that you can send them your company newsletter
- Collecting a person's credit or debit card information so that they are able to pay for a product
Travel company Expedia states what personal data the company collects and gives examples of necessary reasons for this, such as enabling customer's travel booking:
Recording of Personal Data
The word recording is not defined by the regulation and is likely deliberately broad.
If we took the broadest definition possible, writing down someone's name could constitute as recording their personal data.
An alternative definition of recording is to record a person's voice and what was said by them.
For example, a call center may record telephone calls from customers for the purposes of employee training. If this is the case, the person should be informed that they are being recorded and for what purpose.
Further examples of recording data include:
- Writing information, or making a record, on your company database which names a specific individual. For example, you may record a person's name and state that you have their consent to collect certain types of personal data from them.
- Taking notes in a meeting with your employees or clients whereby you record their full names and what was said. If this document is then filed, you have both recorded and stored personal data.
Organization of Personal Data
The normal meaning of organization is simply to arrange something into categories - usually to create a system that makes the item or information easier to locate and more practical to use.
In the context of processing, the organization of personal data would include:
- Arranging information within a physical filing system and putting it into a working order. For example, you could organize personal data by your customer's surnames.
- Organizing information within an online filing system or database into a working order.
Keeping personal data organized is essential as the GDPR gives individuals the right to know what data is held about them, as well as the right to correct inaccurate data and delete data. If an individual made such a request, your company would need an organized and systematic approach to locating all of the data held about that person.
Structuring of Personal Data
This category is similar to the organization of data and neither term is defined in the regulation.
Structuring in this context could be interpreted as storing and arranging data in a structured form according to a specific plan or creating a cohesive whole which is built up of distinctive parts of data.
Alternatively, it could relate to analysing the patterns or relationships between data using a structured approach.
The following activities would fall under this category:
- Structuring data by a particular category or quality e.g. alphabetically.
- Arranging client's data in a specific structure to enable you to analyse it and look for patterns. For example, arranging data by age range and analysing it to see if there are similarities in spending habits.
- Creating a new larger data file made up of separate smaller computer files containing different types of data.
Storage of Personal Data
Storing personal data means to keep and maintain a record of the data whether electronically or on paper. This could be a formal storage system whereby data is inputted into a spreadsheet and analysed, or it could be informal such as an employee receiving an email from a customer and then failing to delete it.
Other examples of data storage include:
- Storing buyer's credit card information so that they can check out faster on subsequent purchases
- Storing client's data in a physical filing cabinet
Ideally, all digitally stored data should be encrypted for security purposes.
Adaption or Alteration of Personal Data
Your company may need to change an element of an individual's personal data. This could be to correct inaccurate information or to update the information you hold.
- A customer calls and informs you they have changed their address and would like you to update it on your system.
- You notice an employee has mistyped a customer's name and need to alter the data to correct the typo.
- A customer goes on to their online account and alters their account information. For example, the person removes old credit card details and enters new details.
It's important to have the ability to alter data since one of the user rights granted by the GDPR is the right to correct inaccurate data.
Twitter enables users to alter their own personal data, such as their phone number and username:
Retrieval of Personal Data
Once again, the regulation does not define the word retrieval in the context of processing. Therefore the assumption is that retrieval takes on its usual meaning of obtaining or consulting material stored in a computer system, or the process of getting something back from somewhere.
Alternatively it could refer to the process of retrieving lost or deleted data.
- Retrieving the data of a previous customer from your online database in order to send a promotional offer
- Locating an individual's personal data and consulting the material to obtain a specific piece of data
- Retrieving data from one source so that it can be transferred to another
Consultation of Personal Data
The word consultation is not defined in the act, but since it has been left open to interpretation a broad approach should be taken.
The word consultation generally means to discuss something with another or to ask for an expert opinion. In business terms, a consultation is usually a meeting held to discuss a particular topic.
In the context of data, discussing an individual's personal data could be classed as processing.
- Discussing an employee's personal data at a management meeting
- Seeking advice from an expert which involves discussing the personal data held on a client
Use of Personal Data
The use of personal data is also an incredibly wide term which covers using or handling data for any purpose.
There are many legitimate ways a company can use personal data including:
- Using the personal data of employees for the purposes of payroll administration
- Using a customers email address to send an email for marketing purposes
Disclosure or Transmission of Personal Data
This includes sharing data with third parties, as well as sharing data internally with your colleagues or employees.
Examples of disclosure by transmission include:
- Emailing personal data to a third party, such as a third party payment processor, marketer or an analytics service
- Sending personal data to a different server
- Uploading personal data to the Cloud
Remember to ensure the security of any transmitted personal data by using secure servers and employing the use of encryption and VPNs.
Destruction of Personal Data
This covers any type of destruction or deletion of personal data, whether by company choice or at the request of a customer.
Under the GDPR, people have the right to erasure, when means they can request a company deletes their personal data or certain categories of it. There are some circumstances in which organizations can refuse to delete a person's data if it is necessary to keep it.
Destruction of data includes the following activities:
- Shredding documents containing personal data
- Deleting computer files of ex-clients
- Deleting data at the request of a customer. For example, a customer contacts your organization and requests that their telephone number is removed from your database.
- Deleting a customer's email address from your database because they unsubscribe from all of your company's marketing emails and newsletters
Recording of Processing Activities
Lastly, it's important to note that controllers and processors are required to keep a record of all processing activities. We will not go into this in detail in this article, however Article 30 requires organizations to maintain a record of processing activities containing several pieces of information.
Processing personal data is a wide, all-encompassing term. There are various activities that count as processing, including the collection of personal data, the storage of data, the organization of data, the disclosure of data and the destruction of data.
As an example of how broad the term is, your company is classed as a data processor if it:
- Stores any type of data at all including names, email addresses, payment information, shipping details and even IP addresses that are collected automatically (Storage of personal data)
- Receives a small amount of data and deletes it immediately (Destruction of data)
- Maintains employee records to process payroll (Use of personal data)
- Sends data to a third party processor via email (Transmission of personal data)
Finally, it's crucial to maintain a record of all of the data your company processes since this is required under Article 30 of the GDPR.