In our previous article, we looked at how to audit the personal data that your business collects. We considered what constitutes personal data under the GDPR, and a process by which you could document all of the circumstances in which that data comes into your business.
If you’re following our process, you’ll know that we recommended creating a Personal Data Log (PDL) – a living document that you can continue to use to keep control over the data you collect.
Now that we know what personal data your business holds, we’ll turn to how you process that data.
‘Processing’ under the GDPR
‘Processing’ is an important concept under the GDPR. The entire regulation is focussed on defining and controlling how personal data may legitimately be processed.
Perhaps ironically, the concept need not detain us too long, because the definition of ‘processing’ is extremely wide.
If you consider that it includes storage, use and transmission of data, you’ll quickly arrive at the conclusion that if you have data, you’re almost certainly processing it.
That being the case, I’m going to launch straight into how to identify the different ways in which we process data, and use our Personal Data Log to keep track of it. That will lead us to a position where we can properly understand:
a) whether we have a legitimate, lawful basis under the GDPR to process the data in the way we do;
b) what our responsibilities are for that data.
“… any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
Identifying how we store, use and transmit personal data
The objective for this stage of our plan is to understand how we process personal data. We have already determined that we collect personal data – we are now going to look individually at storage, use and transmission of data – because these are the broad types of processing that the vast majority of small businesses will be using.
By detailing how we process the data, we are preparing for the following step in the plan, which is to determine whether that particular type of processing is lawful under the GDPR.
Collection and storage of information typically go hand in hand. On any definition of the word, it’s difficult to collect something if you don’t store it in one way or another (given that even writing it down is a form of storage).
For each of our data inputs (i.e. the scenarios in which we collect personal data), we need to be able to answer the following questions as a minimum:
- How is the data stored? Is it in electronic format, such as in a spreadsheet, email inbox or database? Or is it stored physically, such as on paper in a good old-fashioned filing cabinet?
- Where is that data stored? For physical (hard copy) data, this is pretty straight forward – but for digital data, things get a bit more complex: for spreadsheets, emails, databases, where is that data physically stored? On the hard drive of your computer in the office or on a USB stick? Maybe. But cloud computing makes it far more likely that the data is actually stored on a server somewhere else – maybe in a different continent. Think Google Drive, OneDrive, Gmail, hosted CRM or email campaign management tools – none of the data in these applications is stored on your device – it’s all stored ‘in the cloud’. Whilst this complicates things, we need to be clear about where that data is – because it also influences who has access to it;
- Who has access to the data? This will clearly depend on the type of storage. For hard copy documents, perhaps the data is locked away in a physical location to which only limited people have a key. For digital data stored on a system of some kind, perhaps the information can only be accessed by people with a user account and password (and the third party providers of that system – and all their employees??)
- What protection is in place to keep that data secure? As above, hard copies of information can be physically secured, but digital data is different – it’s protected by user accounts/passwords, and possibly firewalls and encryption. So what protection have you got in place?
- How long is it kept for? Do you have any processes for deleting/archiving old information when you don’t need it any more? Or does it simply build up and up over time?
For each of the data input rows on your Personal Data Log, you need to be clear on the answers to the above – and now would be the time to enter that information into Columns G to K.
Ok, so this is a pretty broad category – but this is a good time to ask yourself the question ‘what do we use this data for?’.
This process is going to be useful for three main reasons:
- You’re likely to discover some data that you collect unnecessarily. The concept of ‘data minimisation’ is going to become increasingly important – if you don’t need it, why take on the responsibility of looking after it? Now would be a great time to stop collecting unnecessary data, and securely disposing of stuff you’ve collected in the past;
- Whenever you rely on the data subject’s consent to use data, that consent under the GDPR is limited to the particular uses that you specify. In general terms, you can’t collect the data for one reason, and then go on to use it in a different way.
Here are a few – perhaps obvious – uses of the data you collect, as a starting point:
- To be able to respond to a customer’s request for information (e.g. data taken via website contact forms)
- To deliver the products and services that your business provides (e.g. data collected when a customer places an order or signs up for an account)
- To provide customer service to existing and prospective customers (e.g. data collected when a customer places an order or signs up for an account);
- To be able to send newsletters or other marketing and promotional material to customers (e.g. data taken in newsletter sign up forms)
- To provide employee services such as payroll (e.g. data taken when a new employee starts);
- To maintain the security and integrity of your systems (e.g. technical data collected when a customer uses your website).
If you’re using our Personal Data Log, you should now go ahead and complete Column F.
We’re looking at transmission of data specifically because it necessarily involves sharing the data that you have collected with someone else – and that brings with it some additional considerations.
Ask yourself the question ‘do we transmit this data to anyone else’?
Some examples of transmission might include:
- Sending customer address information to your shipping partner/delivery company;
- Importing customer data into a 3rd party tool such as an email campaign management system;
- Sharing customer data for marketing purposes – e.g. a marketing agency;
- Sending customer data to a 3rd party cloud storage facility (e.g. data backups).
In all of these scenarios, you are actively releasing the personal data you hold to a 3rd party – and you are reliant on that 3rd party looking after the data – so you need to be pretty clear who you’re working with, and what controls are in place to ensure that the data stays secure.
I'm sorry, but I don't have a clueWhy ignorance is no defence under the GDPR
I suspect that this will be the response from a fair number of small business owners. Perhaps you’ve never given any thought whatsoever to where your customer/employee data actually resides. Or whether other people outside your organisation might actually have access to it. Or how secure it really is.
And that highlights an important point that is central to the whole GDPR.
When you consider that individuals’ personal data is a valuable commodity, you have a responsibility to think about these things – if you want to collect it and use it, you need to take care of it.
For years we’ve had a responsibility to think about these things, but the previous legislation, for the most part, let us all get away with it.
The reality of GDPR is that we are all going to have to get properly on top of this – it’s where much of the hard graft is going to happen. For example, if you don’t know where your digital data is stored, how can you argue that it’s secure?
So, I’m afraid to say, you’re either going to need to tackle these things yourself, or get someone to tackle them on your behalf.