The Art of Recording Data Processing Activities
As discussed in earlier articles, the GDPR requires accountability, transparency, storage limitation and in general, a thorough knowledge of the types of processing activities carried out that use personal data. One way it does this is through the record of processing activities as discussed in article 30.
Knowing the personal data that your Organisation processes and the activities that result in that processing is one of the cornerstones of good data protection compliance. I would encourage all companies big and small to maintain a record of processing activity.
However Article 30 only states that the condition to have a register […] “shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions ”
Article 30 asks that both controllers and processors maintain these records. Often called register of processing activities they can be the data flow map for your organisation showing the processing activities and the personal data involved.
For controllers who need to do a record of processing activities the GDPR’s article 30 is very detailed in its requirements. It looks for the name and contact details of the controller and / or their Data protection officer. It requests details on the processing activity, categories of data, the categories of data subjects (those affected), recipients, the storage and erasure (where possible), the purpose of processing and descriptions of international transfers and security arrangement in place for these non-EU/EEA based transfers.
If you are finding this difficult a good exercise might be to take a standard company practice like Payroll and explore how you would detail an area like this as a processing activity, using the headers provided in Article 30.1 of the GDPR
When describing the categories of data, I believe it is best to be as granular as possible and to highlight special category data. It would also be useful to detail the legal basis for the processing and where appropriate to describe the specific article 9 conditions for processing this data.
The condition also applies to processors and as such will normally be requested by the controller to the processor in a standard data processor agreement. Normally you will be asked the supplier (processor) to maintain a record of processing activities as well as the other standard sections like having suitable security in place.
The creation of a record of processing activities can be a long but rewarding process and I would encourage that you start the process with a data protection advisor. The process will involve interviewing staff at various levels, interrogating a processing activity and possibly recording variations of a similar activity at different sites if that involves different data, recipients or data subjects.
The record of processing activities must be a living document so its best to add or update the record regularly. One approach is also to use the data flow map section from the DPIA of a new organisationally approved process that has been checked for risk to your organisations record once it is in use.
The benefits of recording data processing activities are many and range from not only being compliant with the GDPR but having a helicopter view of the activities and data your business process. Furthermore it can be the starting point for organisational / procedural changes and used to show new staff an overview of the activities involving personal data at induction. It can also be used as the starting point for the Company’s retention schedule, which is a list of records containing data and all the details surrounding their retention. The retention schedule will be a core manual for staff in their retention and disposal of documents containing personal data.
If there is an open culture in your organisation, the exercise of recording processing activities can show areas for improvement in security, training, procedure. It might also lead to questions as to the extent of personal data being processed – is the activity excessive or even unnecessary? Through the process or recording your processing activities your Organisation could learn that it is processing excessive amounts of data with shaky legal bases.
Enguard can assist with the issues you with creating a register of processing activities as part of our audit package. We also provide cyber security services, staff training and can assist with drafting policies and procedures. For further details please call us at Enguard on 0818 252 052 or email email@example.com. We would love to hear from you!
Disclaimer: Please note the above article is an opinion piece based on current sources of information available at the time of publishing. It should not be read as legal, clinical or other form of technical advice for the processing of data by processors or controllers.