Tim Turner runs an excellent Twitter account, “DPO Daily”, which poses interesting questions about data protection (and, sometimes, privacy).
Today’s question is a particularly good one:
Does encrypting or pseudonymising personal data constitute ‘processing’ for the purposes of UK #GDPR? On that basis, do you need a lawful basis to do so and do you need to tell data subjects that data relating to them will be processed in this way?
Yes, I know I’m on holiday, but I’m not doing much this morning, so here are my quick thoughts.
Does encrypting or pseudonymising personal data constitute ‘processing’ for the purposes of UK #GDPR?
Yes, I think each of these does constitute “processing”.
The definition of processing is broad:
any operation or set of operations which is performed on personal data or on sets of personal data
In terms of pseudonymisation, the UK GDPR says that this is processing:
‘pseudonymisation’ means the processing of personal data in such a manner that …
In essence, doing almost anything with a computer to personal data will, in my view, constitute “processing”.
On that basis, do you need a lawful basis to do so and do you need to tell data subjects that data relating to them will be processed in this way?
Unhelpfully, I think my answer is a firm “it depends”.
How low must you go?
Perhaps I take an unduly pragmatic stance here, but I tend to focus on the bigger picture - the reason why the data are being encrypted or pseudonymised - rather than on the specifics of each technical operation carried out by a computer.
To demand an individual assessment of lawful basis, and of transparency information, for each individual computer operation, would, IMHO, lead to an unworkable, unnecessary mess.
For example, take a generic example of amending a record in a database. To do that, one would need to something akin to:
- load the database in RAM
- perhaps type a command to query the database, to check what’s there before you make the change
- type a command to make the change
- execute the command to make the change
- perhaps type a command to query the database, to check what’s there after you made the change
- write the resulting changed database to disk
Now, to my mind, each of these is an operation performed on personal data. But it seems absurd to me to suggest that a controller is required to consider the lawful basis for each operation, or describe each operation to the data subject in transparency information.
Encryption, in itself, is likely to be a series of operations on plaintext, helpfully lumped together under the term “encryption”, for convenience. If it follows that “encrypting data” requires a lawful basis, should it not follow that each of the operations inherent in that encryption process requires a lawful basis too?
The (UK/EU) GDPR’s definition of “processing” appears to cater for this, since it says:
any operation or set of operations
In other words, there appears to be legislative support for grouping things together, where they form a “set” of operations, rather than needing to treat each item in the set separately.
So why “it depends”?
Where encryption is a part of a set of operations, without independent significance, my temptation would be to see it merely as part of that set, and assess that set as a whole.
For example, in decoded.legal’s privacy notice, I talk about processing personal data of clients for the purpose of “Giving you legal advice”.
I have not broken out separately:
- PSTN-telephoning you about legal advice
- emailing you about legal advice
- having a WebRTC call with you about legal advice
and I have certainly not tried to identify the lawful basis for using opportunistic TLS on our mail server, or the lawful basis for using encrypted video conferencing via jitsi or matrix as opposed to… well, bad example, as WebRTC requires encryption. Oh well. You get the gist.
But - and, yes, this is a bit circular - if encryption either is the activity, or else is sufficiently important that it necessitates specific consideration, it might require its own lawful basis. I must admit I am struggling to think of a good example of this right now, and the rain here has stopped, but if I think of something while walking this afternoon, perhaps I’ll come back and update this…
But, basically, “it depends” because I am not willing to rule out the prospect of needing a separate lawful basis / transparency information entirely.