Skip to main content
GDPR: Processing Operations
James Webster avatar
Written by James Webster
Updated over 7 months ago

GDPR is a big change to the data processing environment. This is a guide to getting defining your processing operations.


Official definition: processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Sheep definition: the tasks you perform in your day-to-day operations that touch personal data in some way.

e.g.

  • Registering a new member

  • Taking a booking for a venue

  • Sending a newsletter

How you define these is up to you. We would recommend keeping distinct operations
separate but don't be too specific.

The Processing Operation in Sheep is the general statement of processing not the specific instance of when the operation is executed.

For example if you are membership organisation that also runs events open to non members. You might have one processing operation to cover all membership tasks and a separate processing operation for selling tickets.

Legal Basis
Each processing operation must have a legal basis or in other words: everything you do should be legal. GDPR asks you to be explicit about which piece of the law, which legal basis you will be using - you have six choices.

Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

  3. processing is necessary for compliance with a legal obligation to which the controller is subject;

  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;

  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Sheep definition:

  • Consent - nice and easy, the subject said you could

  • Legitimate Interests  - perhaps the hardest to define; have you got a legitimate (or good) reason to be processing or communicating with the subject. A useful question to ask is: 'If I were the subject would I be surprised that my personal data is being used in this way?' e.g. As a new member I received a welcome message vs As a new member I get a marketing email from a vaguely related third party.

  • Contract - Membership, tickets, venue bookings and donations can also be considered 'contracts'. 

You will need to define your processing operations as part of your wider preparation for GDPR. The operations which involve data held in Sheep should also be stored in Sheep. 

Processing Operations can be found in Settings > Contacts

Sheep Example

This is our processing operation for our newsletter

We aren't prolific writers but we would like to contact you with the latest news about Sheep, articles we've published or we think are of interest and product updates. If you consent to us contacting you for this purpose please choose how you would like us to contact you.

The legal basis is 6(1)(a) Consent. 

Automatic GDPR (new summer '19)

Sheep will automatically add a legitimate interests record to any contact that:

  • has an active membership

  • makes a donation

  • purchases a ticket

We use the first recorded occurrence as the start date of the privacy record and have a retention period of seven years after the last occurrence. i.e. if the subject bought a ticket in 2010 and again in 2013 the privacy record will span from 2010 to 2020.

Automatic GDPR is on by default for all clients.
Clients on a large plan can request bespoke, automatic GDPR processing rules.

Did this answer your question?