The most common misunderstanding when it comes to data privacy is that it is about what type of personal data you store. While the type of data stored by an application intuitively can seem either fine or invasive to your privacy, you cannot assess if a service is lawfully processing data just by looking at the data set. I often get questions around the European General Data Protection Regulation (GDPR), so have put together this short blog post to answer some of the more frequently asked questions.
When is data processing lawful?
There are six lawful reasons for processing personal data, but they all require a purpose.
- Consent
- Performance of a contract
- Legal requirement
- Legitimate interest
- Vital interest
- Public interest
A consent-based approach to lawfulness is often the one that most suits. But it is important to remember that there are these other reasons why an organization can process your data. However, all processing needs to have a clearly defined, transparent purpose to be lawful.
What personal data is an organization allowed to process?
GDPR works on the principle of data minimization. So collecting a name and e-mail should be fine. Collecting information on a person’s gender would be unlawful, because the purpose of the processing does not indicate any need for it.
What type of security is needed to protect the data?
Understanding the purpose, together with the types of personal data you store will give you a good indication of the level of security needed. What is the worst that could happen if someone hacked your database and exposed all subscribers as cat lovers? And what safeguards should you put in place to avoid it? While our example might seem trivial, abusing e-mail addresses is one of the most common ways to commit fraud, and can easily link a person to other sets of personal data. So, make sure to create a solution that has appropriate safeguards in place, or select a reputable vendor with good security in place.
How to collect personal data and inform users?
The purpose will be the starting point for informing users. Nobody should be led to believe that this is a mailing list for dog lovers, only to be spammed with cat videos. The guiding principle is that your processing needs to be transparent.
When must an organization delete personal data?
Most purposes will have a start and an end. If the purpose is no longer valid or if the processing is no longer lawful, you must delete the information. Since this is an opt-in system, the purpose would end once the consent is withdrawn, or if the organization shuts down the service all together.
If you, as a user, are concerned with the types of personal data a service processes about you, here is what you need to find out:
- What is the purpose for this service processing my data?
- What is the lawful reason given for processing the data?
- Does the vendor appear to be protecting my data in a reassuring way?
- Does the data I am asked to submit seem reasonable in light of points 1, 2 and 3?
The great thing about GDPR is that it mandates that controllers should make this information easily available to users of the service. Hopefully, we will see a lot more transparency with regards to data processing purposes and better protection of our personal data.
itslearning is one of the first LMS providers to become GDPR compliant. For more information, please visit our GDPR page.
Originally published April 9, 2018. Updated Oct 19, 2021