GDPR is a big change to the data processing environment. This is a guide to getting defining your processing operations.


Official definition: processing
means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Sheep definition: the tasks you perform in your day-to-day operations that touch personal data in some way.

e.g.

  • Registering a new member
  • Taking a booking for a venue
  • Sending a newsletter

How you define these is up to you. We would recommend keeping distinct operations
separate but don't be too specific.

The Processing Operation in Sheep is the general statement of processing not the specific instance of when the operation is executed.

For example if you are membership organisation that also runs events open to non members. You might have one processing operation to cover all membership tasks and a separate processing operation for selling tickets.

Legal Basis
Each processing operation must have a legal basis or in other words: everything you do should be legal. GDPR asks you to be explicit about which piece of the law, which legal basis you will be using - you have six choices.

Official definition: GDPR 6.1 in full - Legal Basis

Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Sheep definition:

  • Consent - nice and easy, the subject said you could
  • Contract - Sheep considers membership, tickets, venue bookings and donations as 'contracts'. You may choose to seek consent as an additional legal basis.
  • Legitimate Interests  - this is the fuzziest in our opinion and potentially open to abuse. We consider legitimate interest to be a second-rate basis, much better to get consent of have a specific contract. It is however a perfectly valid legal basis.

You will need to define your processing operations as part of your wider preparation for GDPR. The operations which involve data held in Sheep should also be stored in Sheep. 

Processing Operations can be found in Settings > Contacts

Sheep Example

This is our processing operation for our newsletter

We aren't prolific writers but we would like to contact you with the latest news about Sheep, articles we've published or we think are of interest and product updates. If you consent to us contacting you for this purpose please choose how you would like us to contact you.

The legal basis is 6(1)(a) Consent. 

Did this answer your question?