Part 4: Data processing – what it means, records of processing activities and legal grounds

In our previous article, we went through some important terms related to the upcoming GDPR and put them into the context of what we do and how they impact the way we work.

In this article, we will look more closely at the term data processing activities. We will also talk about the importance of record-keeping and, finally, the idea of lawful grounds for processing data.

The meaning of “data processing”

Data processing is actually anything that you do with data.

It is the collection, registration, organisation, structuring, storage, modification, compilation, reading, usage, handing-out, transfer, distribution, adjustment, merging, limitation and deletion of data. Anything that you do with the data you have access to is regarded as processing.

And it doesn’t matter if it is digital or on paper.

Records of processing activities

Companies wanting to comply with the new regulation will need to establish a processing register. They need to create a data inventory – the data they have access to, their processes and the software they have it in.

Our approach is to map out everything because the data-processing register is the first thing that any data protection authority (DPA) will ask about when contacting a data processor.

Legal grounds for data processing

Companies need to map out whether they have legal grounds for processing personal data, or, put simply, whether the personal data in their system can be there or not. The GDPR provides for several such grounds, while it is up to the company to determine whether such conditions exist:

  • Fulfilment of contractual obligations
  • Fulfilment of legal obligations
  • Legitimate interests
  • Public interests
  • Vital interests
  • Consent of the data subject

It should be noted that, according to the GDPR, and contrary to current legislation, consent will no longer be regarded as the primary legal grounds.

Hopefully, you now have a better understanding of what data processing is. You should also know why it is important to keep a register of data-processing activities and have established the legal grounds for processing data according to the GDPR.

In our next and final article, we will go into further detail as regards fulfilling the regulation. We will tell you about “privacy by design” and look at the company’s internal organisation and some of the consequences of non-compliance with the GDPR.

Read more about how Pagero is working to fulfil the requirements of the GDPR

Fredrik Hjorth

This article was written by Nazar Paradivskyy, Head of Compliance at Pagero Group, together with Fredrik Hjorth, a consultant from Transcendent Group. He is currently helping Pagero to implement the changes required by the GDPR. Fredrik has long experience of legislation in the privacy field and has solid experience from banking and finance.

Previous articles

GDPR Part 1: Important dates, why the GDPR and the main changes compared to existing legislation

GDPR Part 2: Personal data – what it is in general and in our line of business

GDPR Part 3: Core terminology and Pagero’s position in the GDPR universe