GDPR demands that before personal data is requested from a data subject, a Privacy Notice must be presented to the data subject or consent gained depending on the situation. We recommend that each Business Process Owner should consider whether their process needs to present a Privacy Notice or not. In fact, many processes do not need to present a Privacy Notice if they are a 'downstream' process although they are processing personal data.
Let me explain. We see a lot of processes in businesses that process personal data that actually have no direct interaction with the data subject whose data is being processed. We are using the terms ‘upstream’ and ‘downstream’ processes to differentiate these process types.
A downstream process is one that is processing personal data that has already been collected and is in a database somewhere within the organisation.
An example could be that there is client acquisition ‘upstream’ process that has collected the personal data and the Business Process Owner (BPO) for that process will have ensured that the relevant Privacy Notice (PN) has been presented to the data subject at the correct point.
Then you may have a ‘downstream’ process such as a sales support process run by a different BPO that uses the same (already harvested) data to provide post-sales support.
The upstream process has ensured that a Privacy Notice has been presented, and the downstream process is compliant knowing that the Privacy Notice was presented at the upstream point and covers all elements of processing such as purpose of processing, data types etc.
The BPO of the downstream sales support process must ensure that the Privacy Notice that was presented in the upstream process actually covers the purpose for which the downstream process is processing the data.
The downstream BPO should not assume that the Privacy Notice that is presented by the upstream process owner is sufficient. All downstream BPOs must check the Privacy Notice that was presented in the upstream process is correct for their downstream process and make a record of that check in the Record Of Processing for their process.