I am sure you are fully aware about the General Data Protection Regulation (GDPR) entering into force in a few weeks. And I'm sure you also have started to work on the requirements specific to your business. Having a good record of processing activities is extremely important, especially in terms of accountability. Do you have your record in order? If so, congratulations - if not, then you need to read this post, which includes some precious tips for you for a successful implementation.
On May 25th, 2018, the EU General Data Protection Regulation will also apply on many Swiss enterprises. Two essential points of the European data protection law are the right of access to information and transparency towards individuals. The record of processing activities is fundamental in the implementation and is explicitly required in article 30. enterprises employing less than 250 people are exempted from this requirement – albeit with some exceptions.
The register of processing activities for the GDPR – an inventory for more security
The mentioned article dictates that each enterprise must keep a register of all processing activities performed under its responsibility. In addition, it is required that reasonable organisational and technical controls are introduced, to guarantee an appropriate level of protection. As examples, the GDPR mentions encryption, pseudonymisation or other controls that ensure confidentiality, integrity and availability.
So is it just old wine in new skins? In fact, it is because it doesn't matter if we talk about IT security, cyber security or data protection: your crown jewels, as well as person-related data, need the right protection. And the best way to achieve this is by answering the following four questions:
- What do I want / need to protect?
- How much protection do the assets need?
- What risks must I protect my assets and targets against, and how large are these risks?
- What security measures do I need in concrete, to protect my assets against the identified risks?
Are you wondering what does this have to do with data protection, in particular with the preparation for the GDPR? It's simple: in order to prepare the register correctly, you need to know what person-related data are processed in which systems, what risks do they run, and what controls should you implement to protect these data.
A register of processing activities provides indications on all processing activities
It is important that the register is not just created once, and then forgotten. It must be continuously cared for since processing activities can change in time – even those that relate to personal data. According to the GDPR, the following aspects fall under the definition of "processing activities":
- collecting, entering or storing,
- organising or sorting,
- correcting or altering,
- reading or querying,
- using, distributing, or any other form of making available,
- disclosing by communicating,
- comparing or linking,
- constraining or limiting,
- and deleting or destroying.
Contents of the register of processing activities
Due to the size of the register, a simple table calculation is no longer enough. The register must provide information on the following points:
- Name and contact data of the person in charge, possibly also on the data protection officer.
- Target of the processing (individually for each data collection.)
- Description of the categories of interested persons, and categories of personal data, e.g. "employees" or "clients". Data categories can consist of master data, or transaction or position data.
- Categories of receivers, to whom the personal data have been or shall be disclosed.
- Transmission of personal data to a third-party country, or to an international organisation.
- The planned date for deletion of different data categories.
- Description of technical and organisational security controls.
To avoid needless duplication of documents, it is possible to link existing documents into the register of processing activities. However, it must be remembered that in case of need, these documents must be also made available to the supervisory authority. And also, it makes sense to match the Register with other inventory-keeping applications (CMDB – Configuration Management Data Base, process documentation, risk register etc.).
As you see, there's a lot to do. And data protection documents are not exactly among the most beloved duties in enterprises. But don't worry: we've put together a practical guideline. It will support you with precious suggestions in the development and care for the GDPR-compliant register of processing activities. Because documentation is the alpha and omega of GDPR-preparedness: so get busy with it right away!
Start today with the GDPR readiness
You have to take further measures for the GDPR apart from the processing list? Don't worry, we are happy to assist you. Our whitepaper on GDPR readiness includes all the important changes and gets you practical tips for implementation. Click here for the free download:
You are already a step ahead? Awesome! Then you can devote yourself intensively on your processing directory. In our free GDPR guideline you receive valuable tips from our experts for practical implementation. Why? Because the documentation is the alpha and the omega of GDPR. Just click on the blue butten right here and benefit from the free template "GDPR processing directory guidline"
