21 August 2017 chat with ico_rachels

This page contains the transcript of a web chat we had with a member of the ICO team.

The team members have been really helpful and very gracious in allowing us to publish these transcripts. We are duty bound to point out that the information included will be the view of the agent and could of course be subject to the misunderstandings that can arise from a purely written conversation. The actual General Data Protection Regulation should always be regarded as the ultimate source of truth.

Initial Question: What constitutes "not occasional" processing as per GDPR A30(5)

Tom: OK, so, to clarify my understanding, if a small business is processing any type of personal data frequently, it has a responsibility to keep records of that data processing, is that right?

ico_rachelsYes. That's correct.

Tom: So, swinging back to a question from earlier, what constitutes 'not occasional'?

ico_rachelsBut as advised previously, I can't expand on what our understanding of 'occasional' and 'frequent' processing would be as no guidance has not been issued by us or by the Article 29 Working Party.

Tom: lol, understood!

Tom: Do we have any idea of an order of magnitude? Hours/Days/weeks/months?

ico_rachelsIf you interpret it under a standard dictionary interpretation, occurring refers to 'infrequent' or 'irregular' processing. However, I'm not in a position where I can advise you more clearly than this, I'm afraid.

Tom: Completely fair enough. on a related note, in the case of a breach, would the ICO look more forgivingly upon a small organisation if it kept these records, even though it was not required to do so? I.e. would personal data processing record keeping be considered best practice by the ICO?

 

Tom: I'm wondering if the best recommendation to customers is just to put the record keeping in place regardless.

ico_rachelsI believe it would be considered best practice - providing it was feasible to do so. However, if there is no legal obligation, there is no requirement for them to do so.

Tom: Final question, as before is it ok to publish this on our site? I'd probably just take the bit from "Yes. I agree with your intepretation" about ten lines back onwards

Tom: Sorry, meant from "OK, so, to clarify my understanding" onwards

ico_rachelsYes, certainly. You may need to make it clear that our live chat service provides general advice.

Tom: Will do, it also 

contains a caveat against each transcript that it is the view of the agent and could of course be subject to the misunderstandings that can arise from a purely written conversation.

ico_rachelsI see. Thank you for clarifying that. I hope that information is helpful to you.

Tom: I'm just rounding up the questions I'm getting from lots of different businesses. Yes, very helpful thank you. Have a good evening

 

Important: This site describes our current understanding of the General Data Protection Regulation (GDPR).

We are not lawyers, always seek specialist GDPR advice for your organisation.

About Redox Software

At Redox we specialise in producing bespoke software written especially for your business. We can write you a system that can be used on your computer, via the web or on your tablet/phone – or any combination of those - either now or in the future.

Latest Redox Posts


Our Contact Details

The Colin Sanders Innovation Centre
Mewburn Road, Banbury
Oxfordshire. OX16 9PA

+44 (0)1295 817646