GDPR Advent Calendar (Door 3)

Previously on the GDPR Advent Calendar... ELF (the External Logistics Force) is a business appointed by my client Nick to process a substantial data set involving personal data belonging to children all around the world to support his toy and gift manufacturing and delivery operation. A data breach has resulted in a portion of this data being publicly available and a response plan has been put into effect. While Nick waits for ELF to respond with details of the nature and extent of the breach, it seems like an opportune moment to think about exactly what we mean by the terms ‘process’ and ‘personal data’ – both of them very significant concepts in relation to data protection, and sometimes inadequately understood.
Let’s open Door 3 and find out more:
First, personal data. Not all information about a person is necessarily personal data. If it is not processed (or intended to be processed) automatically, if it is not part of a non-electronic filing system or destined to become one or if it is not part of an ‘accessible’ health, education or local authority record or another public authority record, then it is not personal data. So, yes, pretty much all information about a person is personal data.
The data will be personal data if it “relates to” an identifiable individual. This means that it must be data which allows an individual to be identified, either on its own or in combination with other data in the possession of the controller. It doesn’t matter whether the data relates to the individual in their personal or family lives (as in the case of the children listed in my imaginary client’s database) or in connection with any business or profession. It can still be personal data even if the individual is not identified by name, where the data is being processed in order to establish or document something about the individual, or has an impact on them.
So, that begs the question, what does it mean to talk about data being processed. It is certainly true that applying a process to the data will qualify (for example using an e-mail address in order to send out a marketing communication or, as in the present case, using a name and address to deliver presents). But processing extends very much further. From the exercise of collecting the information, through storage and modification, and up to and including retention and ultimately deletion, all of this is included within the definition of processing. Keep in mind the point about deletion being processing, that will be important later.
These points about what personal data is, and how it is processed, are not merely semantic questions for lawyers to get excited about (although we definitely do). Defining these points helps a data controller to know what they have in their possession which needs to be protected under data protection legislation, and allows data subjects (provided that they read the privacy policy) to know how their data is going to be processed, before they hand their data across.
Come back tomorrow, as we start to consider how to deal with what has been uncovered so far, and Nick asks me to look at the terms of ELF’s processor agreement…