Privacy management and digital data

Privacy: Which Personal Data Are You Processing?

Privacy is no longer limited just to our personal lives, but it also expands to digital lives. The data people put out on the internet is sensitive and needs to be adequately protected. With an increasing number of data theft cases, the European Union took a remarkable step in 2016. They incorporated the General Data Protection Regulation (GDPR) act to protect and preserve the privacy and data protection of all European citizens.  

GDPR law is based on seven principles that protect every EU citizen’s data privacy. In addition, this law empowers the citizens by giving them more control over their will to share their personal data. Indeed, it is a European law, yet it does not bind just European businesses. According to this law, an individual or organization handling the data of an EU citizen is legally bound to comply with the guidelines of GDPR.  

The Impact of GDPR on Businesses  

Before talking about how GDPR changed the way businesses operate, let’s first clarify some essential terms 

  1. Data Controllers: Article 4 of the EU GDPR defines data controllers as an entity, which can be an individual and/or organization, etc.) determining the reasons and ways of processing personal data.  
  2. Data processor: It is an actual entity that processes the data on behalf of the data controller.  
  3. Data Subject: Any living individual whose personal data is collected, stored, and processed by data controllers and processors is a data subject.  
  4. Personal data: Any type of data identifying an individual is personal data. 

GDPR, digital personal data

Under GDPR, data controllers meaning businesses are obliged to disclose data collection of data subjects, declare the purpose for processing their data and several information, e.g., time of retaining personal data.  

Today, the data controllers that regularly process personal data must record processing activities to manage compliance with GDPR. Now, complex organizations handle enormous amounts of personal data from multiple data subjects. Therefore, many of them utilize modern tools to help manage GDPR compliance. 

QUIZ: Are You Aware of Which Personal Data You Are Processing? 

Record of Processing Activity  

It is an activity through which the businesses form an inventory of the data processing to keep track of all the activities done to the concerned personal data. Article 30 of GDPR obliges businesses (Data Controllers and Data processors) to maintain the record of processing activities as a tool to be compliant with GDPR.  

Typically, the Record of Processing Activity is managed by the Privacy Office, but all the departments should also be involved in the discovery and management of processing activities.  

What is a Processing Activity?  

A document containing information about data processing made for inventory purposes displaying the history of personal data processing is a Processing activity. To fulfil Article 30 of the GDPR, it must contain a set of information like: 

  • A description of the categories of data subjects and of the categories of personal data 
  • The reasons (purposes) behind processing the collected data  
  • Individuals and/or entities having access to it (including recipients in third countries or international organizations). 
  • Where possible, the envisaged time limits for erasure of the different categories of data. 

Obtaining Consent  

Consent is one of the legal bases for data processing defined by GDPR (Article 6 GDPR – Lawfulness of processing). 

The Data Controllers must be able to demonstrate to have obtained consent from the data subjects before collecting, processing, and / or storing their data if consent is a legal basis for data processing. At any time, the data subject should be able to withdraw his/her consent. 

So, how do organizations get consent?  

In order to comply with this regulation, businesses generally use a form (webform or on paper) asking for an explicit consent of the data subject to collect, store and process their personal data for a specific purpose.  

Consent must be written in a simple, effective, and comprehensible way for the user is going to accept or not. 

The following are some examples of processing activities that require consent for each of the principal business functions,  


  • Consumer Care 
  • Consumer Complain management 
  • Sales Customer Information 
  • Store visit 


  • Use of Personal Image for campaigns 
  • International communication 
  • Travel Booking 

Digital Marketing:  

  • Newsletters 
  • Marketing campaigns 
  • Market Research 
  • Cookies on websites/apps 

Cookie Banners  

The discussion about privacy and personal data is incomplete without cookie banners. Cookies are small text files carrying information about user’s activities on the website. They are generally stored in the device that the user has used to access the website. Cookie banners are nothing but small notices that appear on the screen right before a user loads a webpage.  

Importance of Cookie Banners:  

In order to be compliant with the GDPR, a website must present a cookie banner to the users asking for their explicit consent to use cookies, especially when the website is using cookies that are not strictly necessary for the functionality of the website.

These cookies banners must inform the user about the use of cookies and must allow the user to choose whether to accept them. If the user does not want to accept the use of cookies, he or she should not be prevented from browsing the site.

Asking the user for consent does not conclude the tasks that need to be done to have a GDPR compliant website.

See you next post!