This is the fifth post penned by Data Protection Officer (DPO), John Arthur Berg, itslearning.
In my opinion, the most common misunderstanding when it comes to data privacy is that it is about what type of personal data you store. While the type of data stored by an application intuitively can seem either fine or invasive to your privacy, you cannot assess if a service is lawfully processing data just by looking at the data set.
You need to start with the purpose.
It might sound like silly business jargon, a meaningless word, a buzzword thrown around by a management consultant formulating your next brand-identity guideline. But in the context of GDPR, the purpose is the be-all and end-all of compliance.
To even think about processing personal data, you first need to define the purpose of this processing. Let’s say you manage a cat-owner association that wants to establish a mailing list for your members to share links to funny cat videos online and offer advice on cat-related topics. So, the purpose of processing related personal data is to run a mailing list where cat-related advice and entertainment is shared.
As the controller of the mailing list, writing down the purpose will enable you to decide on a number of vital questions related to GDPR.
How do I make this processing lawful? There are six lawful reasons for processing personal data, but they all require a purpose. In our example, it seems that a consent-based approach to lawfulness is most suitable. But it is important to remember that there are a variety of other reasons why an organisation can process your data (e.g. in public interest or due to a legal requirement). However, all processing needs to have a clearly defined, transparent purpose to be lawful.
What types of personal data am I allowed to process? GDPR works on the principle of data-minimisation. So for our mailing list, a name and e-mail should be fine. Collecting information on the recipients’ gender would be unlawful, because the purpose of the processing does not indicate any need for it.
What type of security must I enable to protect the data? Understanding the purpose, together with the types of personal data you store will inform you on the level of security needed. What is the worst that could happen if someone hacked your database and exposed all subscribers as cat lovers? And what safeguards should you put in place to avoid it? While our example might seem trivial, abusing e-mail addresses is one of the most common ways to commit fraud, and can easily link a person to other sets of personal data. So, make sure to create a solution that has appropriate safeguards in place, or select a reputable vendor with good security in place.
How do I collect personal data and inform my users? The purpose will be the starting point for informing the users. No-one should be lead to believe that this is a mailing list for dog lovers, only to be spammed with cat videos. The guiding principle is that your processing needs to be transparent.
When do I need to delete the personal data? Most purposes will have a start and an end. If the purpose is no longer valid or if the processing is no longer lawful, you will have to delete it. Since this is an opt-in mailing list, the purpose would end once the consent is withdrawn, or if you shut down the service all together.
If you, as a user, are concerned with the types of personal data a service process about you, here is what you need to find out:
- What is the purpose of this service processing my data?
- What is the lawful reason given for processing the data?
- Does the vendor seemingly protect my data in a reassuring way?
- Does the data I am asked to submit seem reasonable in light of points 1, 2 and 3?
The great thing about GDPR is that it mandates that controllers should make this information easily available to users of the service. Hopefully, we will see a lot more transparency with regards to data processing purposes after the 25 May.
For more information, please visit our web page: itslearning GDPR compliant
