This article looks into the term data processing activities. It also explains the importance of record-keeping and, finally, the idea of lawful grounds for processing data.
The meaning of “data processing”
Data processing is actually anything that you do with data. It is the collection, registration, organisation, structuring, storage, modification, compilation, reading, usage, handing-out, transfer, distribution, adjustment, merging, limitation and deletion of data. Anything that you do with the data you have access to is regarded as processing. And it doesn’t matter if it is digital or on paper.
Records of processing activities
Companies wanting to comply with the new regulation will need to establish a processing register. They need to create a data inventory – the data they have access to, their processes and the software they have it in.
“According to the GDPR, consent will no longer be regarded as the primary legal grounds.”
Our approach is to map out everything because the data-processing register is the first thing that any data protection authority (DPA) will ask about when contacting a data processor.
Legal grounds for data processing
Companies need to map out whether they have legal grounds for processing personal data, or, put simply, whether the personal data in their system can be there or not. The GDPR provides for several such grounds, while it is up to the company to determine whether such conditions exist:
Fulfilment of contractual obligations
Fulfilment of legal obligations
Consent of the data subject
It should be noted that, according to the GDPR, and contrary to current legislation, consent will no longer be regarded as the primary legal grounds.
Hopefully, you now have a better understanding of what data processing is. You should also know why it is important to keep a register of data-processing activities and have established the legal grounds for processing data according to the GDPR.
In our next and final article, we will go into further detail as regards fulfilling the regulation. We will tell you about “privacy by design” and look at the company’s internal organisation and some of the consequences of non-compliance with the GDPR.