We talk a lot about processing when using personal information. What is considered processing?
In data protection terms we spend a lot of time talking about processing personal information. This week we have had two conversations which highlighted that processing is not always understood.
The first company we were talking to are a document storage company being used by one of our clients. We were explaining that they were a data processor because they are storing the personal information. They explained that my client only stores the paper records there, that they do not look at the information being stored. I covered the fact that storing personal information was considered processing so even though they may not look at the personal information being stored they were still processing it on behalf of all their customers.
The second company was an IT support company. They worked with one of my clients setting people up on the client’s system, structuring hard drives and ensuring records were deleted when they met the end of the retention period. Again, they said that they didn’t look at the individual records which had personal information on them, so they were not processing. I explained that structuring records, deleting records and having access to the records was considered processing.
The definition of processing laid out in GDPR is “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” It basically covers anything you can do with personal information from collecting, recording, storing, and deleting and everything in between.
So, who is processing your business information, think about cloud storage, CRM’s, mailing packages, Accountants, IT support, Virtual Assistants etc.? They may be working on your behalf and processing your information. How are you protecting that information?
Happy to answer any questions you may have.