Long time eDiscovery professionals recognize data processing as the method by which data, after it is collected, is prepared for the work we do. The EDRM lays out a clear guidance, for example, on what data processing is and what it means. A very distilled definition is: cataloguing collected data and capturing the associated metadata. These steps, frequently unseen by the end client, take disparate data and make them available for review and/or production. This is well covered ground for eDiscovery pros and we know what it is and how to deal with it.
The GDPR, however, defines data processing in an entirely different and much broader way. The definition of data processing, found in Article 4, is:
[A]ny operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
GDPR data processing, then, is defined so broadly as to address virtually any action and even certain passive states of Personal Data. In other words, the full life cycle of the data up through destruction or erasure. In a subsequent post I’ll consider the lawful bases for processing found in Article 6.