The GDPR part 4: Data processing

/The GDPR part 4: Data processing
The GDPR part 4: Data processing2018-12-07T14:18:43+00:00

The GDPR part 4: Data processing


Blog Best practice March 20, 2018

This article looks into the term data processing activities. It also explains the importance of record-keeping and, finally, the idea of lawful grounds for processing data.

The meaning of “data processing”

Data processing is actually anything that you do with data. It is the collection, registration, organisation, structuring, storage, modification, compilation, reading, usage, handing-out, transfer, distribution, adjustment, merging, limitation and deletion of data. Anything that you do with the data you have access to is regarded as processing. And it doesn’t matter if it is digital or on paper.

Records of processing activities

Companies wanting to comply with the new regulation will need to establish a processing register. They need to create a data inventory – the data they have access to, their processes and the software they have it in.

“According to the GDPR, consent will no longer be regarded as the primary legal grounds.”

Our approach is to map out everything because the data-processing register is the first thing that any data protection authority (DPA) will ask about when contacting a data processor.

Legal grounds for data processing

Companies need to map out whether they have legal grounds for processing personal data, or, put simply, whether the personal data in their system can be there or not. The GDPR provides for several such grounds, while it is up to the company to determine whether such conditions exist:

  • Fulfilment of contractual obligations
  • Fulfilment of legal obligations
  • Legitimate interests
  • Public interests
  • Vital interests
  • Consent of the data subject

It should be noted that, according to the GDPR, and contrary to current legislation, consent will no longer be regarded as the primary legal grounds.

Hopefully, you now have a better understanding of what data processing is. You should also know why it is important to keep a register of data-processing activities and have established the legal grounds for processing data according to the GDPR.

In our next and final article, we will go into further detail as regards fulfilling the regulation. We will tell you about “privacy by design” and look at the company’s internal organisation and some of the consequences of non-compliance with the GDPR.

Read more about how Pagero is working to fulfil the requirements of the GDPR

Previous articles

GDPR part 1: Background and important dates

GDPR part 2: Personal data

GDPR part 3: Important terms and responsibilities

This website uses cookies and third party services. By browsing our website you consent to the use of cookies and embeds from our site. Ok