What is considered processing under GDPR? It’s a question we get asked a lot. Mainly as a result of our work with clients and their data processors.
The definition of processing is covered by Article 4 paragraph 2 of GDPR and states:
“‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
I was speaking with a business storage facility on behalf of a client the other day and they explained to me that they only store and retrieve the paperwork on behalf of my client, they are not processing it. I had to explain that storing the personal information was processing under the definition of GDPR (and was processing under the Data Protection Act 1998). Therefore my client would be looking to put in place a data processing agreement to cover the arrangement.
This conversation is not unusual, I probably have it with a supplier once a week. Another supplier that stated they weren’t a processor was an IT company who claimed that although my clients information was held on their servers, they weren’t processing it. Again storing and structuring are processing.
Another of our clients provide paper destruction services. They recognise that because they are destroying business information they are a data processor. They have set up the correct contract structure with their clients as a result.
In conclusion, the key here is that an organisation doesn’t need to be accessing each record and seeing the information to be a data processor. Some businesses such as IT consultants, record storage and records destruction will always be processing information.