The basics (2/3): personal data processing.
What’s a personal data processing activity ?
Action + personal data = personal data processing.
The equation above is the shortest way I thought of to describe what personal data processing is. Basically, anything that you do on, with or based on personal data can be considered as a personal data processing according to most privacy regulations.
We could spend more time on abstract definitions, but I think that the easiest way to understand this concept is to present a few concrete use cases and examples of personal data processing.
Example #1: Newsletter subscription
“Subscribe to our newsletter with your email address”
This is one of the most visible cases of personal data processing activities available across the web. For example, you can provide your contact details to the WHO in order to receive news regarding their efforts across the globe.
In order to be compliant with the latest regulations in place, the data collection for this kind of purpose should in no way be excessive in regards to what will be provided in exchange for the data.
For example, if you subscribe to a newsletter providing product updates for a new electric scooter, the website should in no way ask you for data regarding your wife/husband & kids.
Example #2: Targeted advertising
“Provide you with relevant ads using your search data”
This is another case that we all have stumbled upon during our web exploration sessions. Especially if you do not use an adblocker.
Let’s say that you spend some time looking up perfumes, for a future gift. From google to review sites, ending up on an online store selling the perfume you plan on buying. Instead of impulsively buying the perfume, you decide on waiting for a few days to be sure that the gift will be suited to its receiver’s taste.
The thing is, for said few days, this is what most banner ads look like for you:
This is what targeted advertising looks like, in its most common form. To be able to pinpoint what product you were looking for, your search data is collected from the e-commerce website, then sold to third parties who aggregate it with other sources of data involving you.
As a side note, you can block this transfer to third parties if you object to tracking cookies upon arrival on a website (if you are covered by the GDPR) or by relying on the “do not track” feature of your browser.
Example #3: screen-sharing a file containing personal data
“Let me show you their contact details”
Let’s say that you work as a sales rep for a nondescript company. To be able to do your job efficiently, you have extracted the contact details of your week’s leads in an Excel file, and are having a Teams meeting with Mike, from HR.
Mike tells you that he may know some of the leads you’ll be working with, so to double check you share your screen to show him your list. Even though you never sent Mike a hard copy of the personal data, he still was able to access it in some way. This is thus considered as a personal data processing, that more precisely involves a form of data transfer to Mike.
A real life example of this processing activity involuntarily took place a few years ago. A French TV team was admonished by the local Data Protection Authority for airing a documentary in which personal data (related to employee evaluation) was readable as it was projected on a screen. This was considered as a breach of privacy by the Data Protection Authority.
To obfuscate the employees’ identities, the team simply converted their name to the Wingdings font. It was not deemed to be the most secure form of encryption, by a long shot. (Source: France Televisions)
Example #4: data scraping
“Let’s aggregate their social media data”
Another, less intuitive example, would be indirect data collection.
Let’s say, once again, that you still work as a sales rep for the same company as before. You want to know more about your leads, so you devise a plan. With the help of your local IT Guru, you create a data-scraper that will centralize data about your leads from multiple sources (Linkedin, Facebook, etc.)
Even though you are not collecting data directly from your leads, and that the data is available online, this is still considered as a personal data processing.
Example #5: HR-related processing activities
“Basically, your life as an employee”
What we have seen until now are cases in which the personal data processing is a single, independent activity. However, some business processes are heavily dependent on personal data, which may lead to multiple personal data processing activities to be intertwined with one another.
The most prevalent examples of these processes are the sales funnel (which we lightly touched upon above) and HR.
From the moment you send your CV to the day you resign (and even further than that), personal data is collected, processed and transferred to fulfill multiple purposes.
For example, the application data you submitted as a candidate will be the basis for your HR file once you have been officially recruited.
Interdependent personal data processing activities are a bit more complex to manage, compliance-wise. You need to be able to identify the flows of data across all the process, and cover your compliance and security risks efficiently, as a privacy incident at the early stages of the process could easily topple the rest of the processing activities.
Knowing how to identify a personal data processing activity is the key to ensure that you are compliant with privacy regulations, and that you have a handle on what is done with personal data at your organisation.
This is why identifying your processing activities is usually the first step in any compliance project (spoiler alert, this is the subject matter of a coming article 😉).
Next time, we’ll cover the last basic definitions regarding the privacy ecosystem: who are the main stakeholders associated with personal data ?
