Episode Six – Basis for Processing Data
Why do you process data? We don’t! you may cry, we just write the address down that the customer gives us, put it on an envelope, put the goods in the envelope and put it in the post. Ahh but you do?;
In this simple example, the business collected personal data from the customer (their name and address) and transmitted that personal data to a third party (the Post Office.) When viewed in these, all be it rather simplistic terms, there aren’t really any businesses that don’t ‘process’ personal data.
‘processing’ means any operation or set of operations which is performed on personal data […], whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; GDPR Article 4(2)
The 25th of May 2018 is a date imprinted on the minds of many a corporate executive as the date that the new EU General Data Protection Regulations come into force. Regardless of whether the UK withdraws from membership of the European Union the GDPR will apply to the UK as a whole and the many companies within it.
Amongst the many changes that the GDPR brings about in an effort to harmonise and strengthen the protections of its citizens data is the need for companies to have a legitimate reason to ‘process data.’ The GDPR removes some of the existing justifications applicable under the UK Data Protection Act 1998, and narrows the scope of legally acceptable reasons.
Processing shall be lawful only if, and to the extent that, one of the following applies:
a) data subject has given consent […]
b) processing is necessary for the performance of a contract in which the data subject is part or […] prior to entering a contract.
c) processing is necessary to comply with a legal obligation to which the controller is subject
d) processing is necessary to protect the vital interests of the data subject […]
e) processing is necessary for the performance of a task carried out in public interest […]
f) processing is necessary for purpose of legitimated interests pursued by the controller […] except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
GDPR Article 6
Should the personal data a company holds relate to a child under 16 or relate to what the GDPR classifies was special categories of data such as ethnicity, or trade union membership. Then the lawful purpose criteria becomes even narrower and the bar is set far higher.
In episode 2 of this series we discussed SAP’s Information Steward and data audits. We talked about how both of these things help a business understand the data it holds, for example its source, type and also the reason for holding the data in the first place. The article describes how the output from the data audit is a foundation document and the identification of a lawful reason for processing data is another case where this document is helpful.
The majority of the ‘core’ processing undertaken by a business will fall into one of two of the above categories; (b) processing necessary for the performance of a contract, or (f) processing for legitimate interest.
As a first step to fulfilling the requirements of Article 6, companies should identify all of the data processed for the performance of a contract. Companies should then identify data processed prior to entering into a contract. Having done so, the next step would be to understand what happens to that data once the contract has been fulfilled; is the data deleted or retained, for how long is that data retained, and for what purpose? This purpose may well come under category (c) legal obligation, if the data is retained for tax or social security purposes.
Having identified ‘contract personal data’ the next step would be to identify the data processed for a legitimate interest of the company. Having done so, companies should ask themselves what the legitimate interest is and review the personal data against that interest. As mentioned earlier, the GDPR narrows the scope of the legitimate basis for data processing. So, it is important for companies to understand if their reasoning for processing the data is truly a legitimate interest and whether the data points they use in pursuit of that interest, align with it.
For example, a supermarket collecting the postcodes of its online customers for the purpose of understanding the geographical distribution of them and therefore the best location to build a new local distribution hub, is a legitimate interest. However, collecting the income details of customers using the same legitimate interest is not lawful as the income data is unrelated to the geographical processing.
For each data processing operation, the controller must understand the legitimate reason for that operation and should seek to communicate those reasons in the privacy notice, (see episode three – Communicating Privacy Information)
Having understood the business reasons for processing personal data the Controller can now widen their review and take into account data which is processed on the basis of the data subjects consent. Consent to process data is an area where the GDPR enhances and expands the rights of citizens and which will be covered in a future episode.
If companies rely on (c) processing for compliance with a legal obligation, they should be aware of the source of that obligation. That is to say that the legal obligation pertains to one from an EU member state and not one from a country outside the EU.
Points (d) and (e) will find very limited application. It is envisaged that point (d) vital interests, would be utilised by the medical profession and with regards to point (e) public interest, the GDPR has been drafted such that it will be left to individual countries to define what constitutes public interest and this will no doubt lead to differences across the EU. The UK Government has already drafted the new Data Protection Bill, which addresses this and other areas where governments are free to ‘fill in the blanks.’
When deciding on the basis for processing data, companies should review their processing operations with a very narrow lens. The GDPR limits the acceptable criteria, and in enhancing protections afforded to its citizens the EU has indicated to Information Commissioners that they should adopt a narrow viewpoint.
An unforeseen result of work undertaken by controllers today is future proofing against further legislative changes. Estonian MEP’s are vocal advocates for enhanced online privacy and the abolition of surveillance based marketing. With Estonia currently holding the presidency of the Council of the European Union, there is a reasonable expectation amongst privacy professionals that new data privacy laws will soon be proposed. The work companies undertake now, will go a long way to ensuring they are in the best position moving forwards.
Your Journey to GDPR Compliance Series – Missed an Episode? Catch up on demand below:
Stephen Lofthouse MSc BSc PGCLTHE FHEA is a GDPR Consultant with Proceed and a member of the International Association of Privacy Professionals. He is an award-winning SAP mentor who has worked globally for a number of years both commercially and in academia.