The GDPR requires organisations to map the personal data within your organisation by keeping a record of processing activities. The idea behind this is that organisations have insight into the personal data that is being processed. Only if you know what data you are processing, you can take responsibility for protecting it. Both the controller and the processor have an obligation to maintain such a register.
The register must contain an up-to-date and complete overview of the personal data processed by your organisation. For each processing, specific information must be kept, such as the lawfulness, purpose limitation, who are processors and how long data may be retained.
What should I do exactly?
The law does not indicate how the register should be organised within your organisation. Only that it should be documented. We suggest to pay attention to the following:
- Select an appropriate form for the register.
Most people are tempted to start with a spreadsheet. But pretty soon you will need more functions and feel the need for specialised tools. Such as WeDoPrivacy.
- Find out how you can check the completeness of the register.
As a privacy officer, you can not assume that everyone will report on their own personal data. Perhaps your colleagues do not always understand that they should report the use of personal data somewhere within the organisation.
We know from experience where to find personal data. Within the random business management processes you will find personal information at:
- Personnel department(recruitment & selection, work-related administrations);
- The ICT department (Facebook book, active directory, ICT service desk);
- Facilities (cameras, complaints handling, visitor registration).
Personal data can also be found on the side of the primary processes. This is of course highly dependent on the type of organisation. Whether you are a private or public organisation, there are always ‘customers’ or ‘stakeholders’ of whom personal data are kept. And don’t forget your employees!
- Assign responsibility for filling the register.
The GDPR does not indicate who should be responsible for filling the register or keeping it up to date. It is therefore logical, especially in larger organisations, to have the register filled in a decentralized manner (for example, one point of contact at HR, one point of contact at ICT, one point of contact within primary process A, et cetera).
It fits the role of privacy officer or the Data Protection Officer (DPO) to check whether the register is filled correctly. And if this is not the case, initiate follow-up actions.
- Think about how you can ensure the accuracy of the register.
Your organisation is changing every day. The moment after your organisation has completed version 1.0 of the register, it is probably already out of date. How do you ensure the accuracy of the register?
The larger your organisation and the more changes, the more challenging it is. In addition to the responsibility for filling the register, you also need to make arrangements with your organisation about keeping the register up-to-date. Having a register is not a ‘project’ that you can complete, it is really a permanent management task.
Checking current events can also be a ‘management task’ for the privacy officer or DPO, but can also be delegated to line management. How often the accuracy should be reviewed depends on the number of changes, but a regular check at least twice a year is recommended for many organisations. You can also set this interval in WeDoPrivacy.
When implementing the register, you should therefore also immediately implement a management procedure in which, for example, the following items are included.
- Who is responsible for updating and checking the registry?
- With what frequency does this take place?
- What are “triggers” for personal data adjustments?
Do not reinvent the wheel. There are always similar organisations that, like you, are struggling with the question about how to set up a register. Why do not you work together? Discuss with each other which set-up has been chosen, where you have all found personal data and how you deal with principles. By cooperating and sharing together you will find a good basis faster. WeDoPrivacy also helps you get started with templates. We have made these templates in practice, at the same organisations as yours.
What you have to record is partly determined by law. To what detail level do you have to record which personal data you are processing? A practical proposal: in any case you will have to do this to the level where there is a difference in the foundations. Further details may always be used, but this must lead to additional control information. In an average system, processing ‘name’, ‘address’ and ‘place of reference’ data has a similar basis, is in the same system and is shared with the same processors. Then there is no need to create separate rows for ‘name’, ‘address’ and ‘place of residence’, but this can be done under one denominator.
The register is never finished. Your organisation is obliged to provide an up-to-date insight into processing. The management of this is crucial. Often new risks are present in new processing operations. A good management procedure is therefore very important. If you put your register in WeDoPrivacy, this management becomes a lot easier.