KEEP AN OVERVIEW
With all the obligations from the GDPR, it is easy to lose oversight and control.
This is where the Register comes in, also known as the Record of Processing Activities or RoPA. Whether it’s a simple list or a central database, the Register helps you to keep an overview of processing activities and to see where gaps in compliance may be.
It also helps you to determine and discuss the properties of the personal data you process in your company, like:
- Where is this personal data used for?
- Who can access this personal data?
- Is it really necessary to have this personal data?
- How long do we want to keep this it?
- How long are we obligated to keep the personal data (e.g HR or Financial records with Personal data)?
- Are we OK with transferring this data to other companies? What safeguards do we have that they treat the data confidentially and secure?
- In which places and systems is this data stored (look at resumes for instance)?
- Is the data safe against intruders and hackers or can it easily get exposed unintentionally?
The Register is particularly important, because the GDPR requires organization to be accountable. This means you must be able to provide evidence that you comply with the GDPR and how.
Documenting the properties and safeguards of processing activities is vital to prove that you are in control. It is therefore no surprise that the Register is usually one of the first records authorities request when they start an investigation.
PROPERTIES AND SAFEGUARDS
Per the regulation, the Register must contain certain information. This includes:
- Name and contact details of the organization, its DPO and its representative
- Purposes for processing
- Categories of personal data and data subjects
- Categories of recipients of personal data
- If data is transferred to another country, and what safegaurds are in place
- Retention times
- A description of technical and organizational security measures
This is an obligation for the organization that is responsible for the data (the controller). But it is also an obligation for companies that process data on behalf of another organization (the processors).
WHERE TO START?
The required size, complexity, and level of detail of the Register depends on your organization and its processing activities. This also determines whether a simple Excel sheet will do or if you need a more sophisticated specific software tool. It might be possible to use one of your existing tools (e.g. GRC-tools used for compliance to other regulations).
The first step in constructing a Register is to map your data flows and activities of your business processes. It is important that all relevant stakeholders are involved in this process.
Next, take inventory of the security measures that are already in place, both technical and organizational (e.g. procedures and training).
Finally, fill in the blanks, complete you Register and execute as recorded.
This way, you can become accountable, in control, and free of worries.
Your first question is free of charge.