Every business makes use of personal data. Even if your core business is not selling databases, developing monitoring systems or providing targeted marketing advice, you will process personal data in one way or another: for compliance with employment laws, payroll or engaging suppliers or vendors (even if in B2B you need witnesses to sign contracts).
The personal data that flows within your business processes serves a specific purpose. You may simply be complying with government regulations, implementing contracts, or even developing your core revenue streams. One of the biggest changes introduced by the General Data Protection Regulation (GDPR) and various other data protection regulations around the world is that any “use” of personal data (the correct technical term would be data processing activity) must have a specific, explicit and legitimate purpose. But what does that mean?
A specific purpose means that you must not process personal data for an undetermined reason. It’s worth noting that processing means several things, from collection to use, disclosure, storage and deletion, basically anything that can be done with personal data. Along with this specificity comes a very important concept: personal data cannot be further processed in a way that is incompatible with its originally intended purpose (purpose limitation).
For example, imagine a medical clinic that collects health data from its patients to provide medical services. Then it decides to share its data with an insurance company to offer advertising. This would be illegal because sharing the patient data would be incompatible with the purpose for which it was originally collected.
An important aspect of data protection is transparency. Companies must adequately inform their stakeholders about their data processing activities. This enables autonomy and informational self-determination: data subjects must be able to understand and – where applicable – decide on the use of their personal data. An explicit purpose therefore means that the data subject should be informed in a clear way about the reason for the processing of their data. This can be done at the time of data collection with a specific disclaimer/privacy notice or, if this is not possible, e.g. in the case of web scraping, shortly afterwards.
Finally, a legitimate purpose essentially means that it must comply with the law. For example, it would be illegal to collect the political opinions of your employees in order to decide whether to give them a promotion.
To comply with data protection regulations, every company must document its data processing activities and the purposes for which they are used. In this way, you can be accountable, track the flow of data and ensure that the data is not used for a purpose other than the one originally stated (functional degradation).
To learn more about GDPR principles don’t forget to read our previous article about Lawfulness, Fairness and Transparency.
Need some help on the road to compliance? Book a free consultation with us today!