Data processing and GDPR

What is data processing and what is sensitive data?

Data processing is any activity in which personal data is collected, registered, stored, analyzed, transmitted, deleted, sold etc. The term is defined so broadly that any contact with personal information is basically considered as data processing.

Data, in this case, is defined as formalized information that is typically handled by a machine or a computer.

Most businesses and organizations will, in one form or another, handle or process some type of data, most often personal data. The GDPR defines personal data as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Typically, personal data is divided into two categories. Some countries also have a third category while others consider the category “Confidential personal data” to be of the same category as sensitive data.

• General or common personal data: names, e-mail addresses, place of residence, place of employment, and other factual information that is publicly available.
• Sensitive personal data (‘Special category of personal data’): Health records, information about a subject’s ethnicity, religion, or sexual identity. This data is more personal, and should therefore be handled with greater care.
• Confidential personal data: social security numbers, criminal records and other classified information that needs to be regulated separately.

How do you process personal data correctly?

In order to process personal data correctly, you need:

• The legal right and a legitimate purpose
• Consent from the person whose personal data you’re processing
• A data processing agreement

A legal right and a legitimate purpose are prerequisites whenever you process personal data. Your rights are limited by whether you’re processing general or sensitive personal data.

You need consent from the person whose personal data you’re processing. This needs to fulfill a number of requirements: it needs to be voluntary, limited or specific, informed, and unambiguous. Furthermore, you need to document and verify that you’ve obtained the consent correctly.

There are exceptions as to when a business can get consent. This could be if, for example, it’s necessary out of care and due diligence to the person, or if there is a legitimate reason for the data manager that isn’t superseded by the subject’s own interests.

You can read more about consent on GDPR.eu.

Thirdly, businesses need a data processing agreement. This is a contract which contains instructions for the data processor on how to process the information. This agreement is between the data manager and data processor.

What’s the difference between a data processor and a data manager?

The data processor and the data manager are not the same person.

The data manager is the party that determines which data to process, to what purpose, and using which tools. The data manager defines the ground rules for how the data ought to be processed.

On the other hand, the data processor is the party that performs the actual processing on behalf of the data manager.

It’s important to separate the two, because they have different requirements. One party, the data manager, ensures that the data processing is GDPR compliant, whereas the other party, the data processor, takes responsibility for acting in accordance with the given instructions.