What Activities Count as Processing Under the GDPR?
If you collect, store, share, or transmit someone's personal data in any way, chances are you're "processing" it under the EU's General Data Protection Regulation (GDPR). This is significant because all processing activities fall under the GDPR's scope.
In other words, if you process any personal data at all, even if it's just one or two pieces of information, you're bound to comply with the regulation.
Simply put, since many businesses collect even small amounts of personal data from EU residents, it's best to assume you should comply with the GDPR. So, let's check out how the rules apply to you by looking at examples of GDPR processing activities.
- 1. Personal Data
- 2. How the GDPR Defines Processing
- 3. The GDPR Principles
- 4. Data Collection
- 4.1. Declaration of Data Collection
- 4.2. Data Minimisation
- 5. Personal Data Recording
- 6. Storing Personal Data
- 7. Organizing Personal Data
- 8. Personal Data Disclosure
- 8.1. Internal communications
- 8.2. External data sharing
- 9. Amending Personal Data
- 10. Personal Data Destruction or Erasure
- 11. Conclusion
Before we move on to look at some examples of personal data processing, let's be absolutely clear on what personal data actually is.
Personal data is any information, from names to IP addresses, that you can use to identify an individual living person. You can see more examples of personal data in Article 4(1) of the GDPR, but this is certainly not an exhaustive list:
Here's a good rule of thumb: if you think it's personal data, assume that it is and safeguard it properly. That way, you're always complying with the regulation.
Now we've clarified what information we're talking about, let's take a closer look at "processing" under the GDPR.
How the GDPR Defines Processing
To put it simply, "processing" is pretty much anything you can do with someone's personal data.
You'll see what we mean if you look at Article 4(2), where there's a long list of activities that count as data processing.
The use of the phrase "such as" means that, again, this isn't an exhaustive list of possible processing activities. They're all just examples to help you understand what might be construed as processing.
What's more, automated processing is included. So, activities like profiling fall under the GDPR's scope:
And from Article 4(5), it's clear that processing also includes pseudonymisation. So even if you can't identify someone from the data anymore, you still need to process the data to make this possible:
Before we look at processing activities in more detail, let's be clear on the principles you must follow if you plan on collecting personal data at all.
The GDPR Principles
The GDPR sets out its principles for personal data collection in Article 5. In summary, you must:
- Always process data fairly, lawfully and transparently
- Only collect personal data for a set purpose
- Make sure you only collect as much personal information from someone as you actually need
- Make it easy for someone to correct the data you hold on them
- Delete data once you don't need it anymore
- Keep the data confidential and secure at all times
- Take responsibility for your company's personal data handling processes
So if you plan on engaging in any data processing activities under the GDPR, you must only do so in line with these principles.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
To help you understand how this all works and how it relates to your business, let's work through the various types of processing activities, starting with data collection.
Data collection means exactly what you think it means: gathering personal data. There are two ways you can do this:
- Collecting it from the individual (or "data subject," as they're called under the GDPR)
- Obtaining it from a third party i.e. a retailer, financial institution or marketing company
Here are some examples to make this more clear:
- A customer inputs their credit card details into your system to complete a purchase
- Someone gives you their email address to enter a competition, or join a mailing list
- A marketing company shares analytics data with you
So, how do you ensure you're collecting personal data in line with the Article 5 principles? You must do two things: get permission before you collect the data, and ensure you're only collecting as much as you need.
Let's break this down.
Declaration of Data Collection
- You collect data
- Why you need it
- How you plan on using it
Remember, it's all about transparency. If you're collecting data, you need to tell people about it first. So, before you collect data, draw someone's attention to this Policy.
This is pretty simple. Don't collect more data than you need to fulfill a set purpose. For example, you don't need someone's Social Security Number to sell them clothes online.
Here are some tips to keep in mind:
- Ask yourself if you really need a piece of data. If the answer is no, don't collect it.
Personal Data Recording
The "recording" activity is, admittedly, a little confusing. There's no clear guidance on what the GDPR means by "recording," which means it's interpreted pretty broadly. Here are some examples of what "recording" seems to mean under the GDPR:
- Recording minutes from a meeting with a client
- Keeping a record of correspondence with someone e.g. an email chain
- Recording a telephone call with a customer, even if it's just for monitoring and training purposes
In other words, if you record something that you can use to identify another person, it's personal data, and it's a processing activity under the regulation.
Before we move on, there are two things to note here.
First, Recital 42 of the GDPR states that you need proof of consent if you're relying on consent to process data.
There's no clear guidance on how you record consent, but basically, you should record:
- The data subject's name or identifier, such as an email address
- The date and time you obtained consent (a timestamp is best, but other records may suffice)
- What they consented to i.e. what data capture form they used
- How they consented e.g. if it's by telephone call, keep a copy of the call script
- When they withdrew consent, if applicable (again, use a timestamp where possible)
Second, all records must be stored securely, even if it's just confirmation of consent. We'll see how this works below.
Storing Personal Data
Once you've captured personal data and recorded the relevant consent, you need to store it all somewhere. It's crucial that you store it safely to comply with your confidentiality and security obligations under the GDPR.
First, here are some examples of storing someone's personal data:
- Keeping emails from customers in your inbox or junk mail
- Recording someone's name and address on a spreadsheet
- Scanning customer invoices onto your computer, or keeping the paper documents around the office
- Dictating notes from a meeting with customers, clients or employees
While the GDPR doesn't set out exactly how you should store such data, we can find some suggestions in Article 32. Essentially, you should:
- Encrypt data: Encryption "scrambles" personal data so that no one can read it without a password or access key, or
- Use pseudonymisation: This means storing data in such a way that you can't identify anyone from a single piece of information
So, for example, if you want to store consent records, you might encrypt these. You're only obliged to implement security measures that are reasonable for the size and complexity of your business, though.
Here's an example of such a clause from Disney:
There's no need to include too many details. You only need to highlight that you use safeguards to protect personal data.
Organizing Personal Data
The more personal data you capture and store, the harder it is to keep it all organized. However, "organizing" or "structuring" personal data are processing activities, so it's important you do it properly. The reason is twofold.
First, if someone asks to see their data, you should be able to produce it quickly. This is in line with the data portability principle, and it's talked about a little in Recital 68.
The better organized the data, the easier it is to transmit.
Second, if you're ever audited by a Data Protection Authority (DPA), they'll penalise you for not taking good care of data in your possession. But what does it mean to organize personal data? It's pretty self-explanatory, but here are some examples:
- File data away somewhere, even if it's on the cloud
- Create customer records
- Collate information on a spreadsheet, mailing list or database
It's a good idea to audit your procedures. Make sure you know:
- Where information comes from e.g. emails, web capture forms
- What categories of data you process
- Where you store the data e.g. cloud, servers, hard drives
- What data leaves your company e.g. if you share it with marketing companies
Depending on the size of your company and the sensitivity of the data you're organizing, it might be best to ask a specialist IT provider for help. This is definitely a good idea if you're in a regulated industry like healthcare or finance, where you're handling really sensitive data on a regular basis.
Personal Data Disclosure
There are two ways you can transmit or disclose personal information under the GDPR:
- Internal transmission e.g. sharing customer details with another member of staff
- External transmission e.g. disclosing the data to marketing companies
Both forms of transmission count as processing, and they require slightly different safeguards.
If you're sharing data around the organization, you still need to protect it properly. That's because:
- Every system is vulnerable to malicious external threats, and
- You still need to shield data from unauthorized personnel
So, you can secure internal communications by:
- Encrypting data, such as spreadsheets or invoices, before you send them
- Using strong passwords
- Segmenting a secured private network from your wider public network, so there's a safe space to share files
External data sharing
It's common for companies to share data with external service providers like marketing agencies. But before you transmit data outside the company, there's one thing you need: a Data Processing Agreement (DPA).
DPAs regulate the relationship between you (the "data controller") and the third party (the "data processor"). For example, the processor can't do anything with the data that's not specified in the contract, and they must comply with the GDPR at all times.
You shouldn't sign a DPA with any company unless you're satisfied they have safeguards in place to comply with the GDPR.
Amending Personal Data
The personal data you store should be accurate, which means people have the right to amend their information. This is set out in Article 16:
It's okay for you to amend data, too. For example, maybe you spot an error in the client's address details and you need to fix it. Just make sure you keep a record of any amendments so you're complying with your recording duties.
Finally, make sure you tell people about the right to amend data. Informing people of their data rights is central to the GDPR, and you must bear this in mind whenever you process any data.
Personal Data Destruction or Erasure
Yes, even destroying or removing data is technically a processing activity. Here's when it might apply:
- Someone withdraws consent to marketing
- You don't need the data anymore
It's clearly set out in Article 17, and it's known colloquially as the "right to be forgotten:"
Note that it's not an absolute right, meaning you can keep the data if you need to comply with another legal obligation.
Set up regular reviews of the data you store and delete it if you don't need it anymore.
Remember, Article 5 specifically mentions storage limitation, so scheduled data reviews are an easy way to comply with your requirements.
If there's one thing we know about the GDPR, it's this: it's designed to regulate data processing activities and protect individuals from oversharing their personal data. That's why there's such a broad definition of "processing" in the regulation. It covers virtually everything you can do with personal data, unless you collected it solely for domestic use.
If you process personal data, you must abide by the GDPR's seven principles for data processing. Most importantly, you should act transparently and lawfully at all times, and minimize the data you capture where possible.
Processing activities include:
Essentially, if you think it's a processing activity under the GDPR, follow the rules. That way, you don't need to worry about non-compliance.