• 02 Mar 2023
• •
• 2 min read

What does "processing" of personal data mean?

To answer this question it is best to look at the UK General Data Protection Regulation (UK GDPR) and how it defines “processing”:

“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

As you can see this definition is very wide and covers virtually everything you could think of doing with a set of personal data (even if you do not realise you are “doing” anything with it).

The act of “processing” personal data therefore includes:

1. Collecting personal data e.g. receiving personal data via email or a ‘contact us’ form on a website.
2. Organising and structuring personal data e.g. inputting it into a spreadsheet or database.
3. Sending or transferring personal data e.g. via email.
4. Storing personal data e.g. in a physical office filing system or an IT system.
5. Deleting personal data e.g. deleting electronic copies of documents containing personal data from your IT system.
6. Amending or adding to personal data e.g. updating a customer’s address details on your IT system or adding an alternative contact telephone number.
7. Using personal data e.g. to send a letter to a customer or a gift from the business to a customer or using an employee’s personal data to make a decision about a pay review.

In addition to the above examples, the following would be examples of processing personal data which you may not at first think are acts of processing given that they are basic every-day and necessary tasks:

1. Shredding documents containing personal data.
2. Putting a photo or a video of an employee or customer on your website.
3. Video recording via CCTV or a vehicle dash cam.
4. An employee checking their emails on their phone when they are away from the office or abroad on holiday.
5. An IT consultant located abroad logging into a business’ IT system to assist a user with an IT issue.
6. Keeping a list of individuals who have asked not to receive marketing emails.
7. A supplier using a list of its customer’s employees to send them emails or to call them about an order.
8. A supplier using an individual’s contact details included on an order form to deliver goods to them.

Our data protection team have many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421.

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please click below.