Part 4: Data processing – what it means, records of processing activities and legal grounds
In this article, we will look more closely at the term data processing activities. We will also talk about the importance of record-keeping and, finally, the idea of lawful grounds for processing data.
The meaning of “data processing”
Data processing is actually anything that you do with data.
It is the collection, registration, organisation, structuring, storage, modification, compilation, reading, usage, handing-out, transfer, distribution, adjustment, merging, limitation and deletion of data. Anything that you do with the data you have access to is regarded as processing.
And it doesn’t matter if it is digital or on paper.
Records of processing activities
Companies wanting to comply with the new regulation will need to establish a processing register. They need to create a data inventory – the data they have access to, their processes and the software they have it in.
Our approach is to map out everything because the data-processing register is the first thing that any data protection authority (DPA) will ask about when contacting a data processor.
Legal grounds for data processing
Companies need to map out whether they have legal grounds for processing personal data, or, put simply, whether the personal data in their system can be there or not. The GDPR provides for several such grounds, while it is up to the company to determine whether such conditions exist:
- Fulfilment of contractual obligations
- Fulfilment of legal obligations
- Legitimate interests
- Public interests
- Vital interests
- Consent of the data subject
It should be noted that, according to the GDPR, and contrary to current legislation, consent will no longer be regarded as the primary legal grounds.
Hopefully, you now have a better understanding of what data processing is. You should also know why it is important to keep a register of data-processing activities and have established the legal grounds for processing data according to the GDPR.
In our next and final article, we will go into further detail as regards fulfilling the regulation. We will tell you about “privacy by design” and look at the company’s internal organisation and some of the consequences of non-compliance with the GDPR.
This article was written by Nazar Paradivskyy, Head of Compliance at Pagero Group, together with Fredrik Hjorth, a consultant from Transcendent Group. He is currently helping Pagero to implement the changes required by the GDPR. Fredrik has long experience of legislation in the privacy field and has solid experience from banking and finance.