How can we help?
Our mission is to create great privacy tools that are affordable for all organisations. Our tools are not only affordable, they also offer great quality. We understand that this almost sounds too good to be true, but we are happy to answer any question you have. Below you find our most frequently asked questions. Can’t find your answer here? Use the search bar above, or check our Knowledge Base.
Our tools are created by privacy experts who have years of practical experience. They know what functionality is useful in daily life. And what functionality only makes sense on paper.
There is no catch. We started WeDoPrivacy because we feel that privacy is important. Organisations can benefit greatly from proper privacy tools. But why should proper tooling only be available for organisations with a big wallet and people that have the time to become an expert in privacy.
It is WeDoPrivacy mission to create affordable privacy tools that can be used by experts and non-experts. How to better illustrate your mission than offering a Freemium version. And if you want more comfort or specific functionality, you can always order a paid version that is still affordable. In turn: if you buy a paid version, you will help us keeping the fermium model available for organisations that truly lack any funds for privacy tools.
WeDoPrivacy is established in the Netherlands. The founders of WeDoPrivacy also work at Verdonck, Klooster & Associates. We work across the European continent with partners that help our customers to make the best use of our product.
You can always use the free version as long as you want. And if you decide for the paid version, we will of course migrate your data, so you won’t loose anything.
We think you feel even more comfortable using WeDoPrivacy after you take a first peek through the free version. So register as a free user first and look around. If you are satisfied, you can immediately upgrade your account to a paid version.
Easy: if your tool offers an opportunity to export (for example to a spreadsheet) we are happy to help you to import it into WeDoPrivacy. If you cannot export, we are happy to think with you on a plan B. Please get in touch for more details.
Excel has strong features to manage your record of processing activities, but also limitations. Try WeDoPrivacy if you feel that the following could be true for your organisation:
- You are not sure wat the latest version is of your Record of Processing activities or where you’ve stored it
- You work together with others on the record and lost track of the most recent copy
- As you are not a privacy specialist, you are easily confused with specific terminology
- You find it is easy to make mistakes in keeping your record adequate and you don’t feel comfortable with that
- You find it hard to manage the relation between the different items (processors, data subjects, etc.) within one processing activity
If any of these is true, or of you feel that you need something more professional than a spreadsheet, consider WeDoPrivacy.
We designed WeDoPrivacy to make it easy to manage your record of processing activities. Whether you are a privacy professional or not.
WeDoPrivacy helps you to take responsibility and be GDPR compliant. Our tool‘s design makes sure that all relevant information is included. By offering templates, checklists, tips and easy to use fields (such as dropdown menus and selection boxes), managing your Record of Processing activities is a breeze!
The GDPR requires organisations to map the personal data within your organisation by keeping a record of processing activities. The idea behind this is that organisations have insight into the personal data that is being processed. Only if you know what data you are processing, you can take responsibility for protecting it. Both the controller and the processor have an obligation to maintain such a register.
The register must contain an up-to-date and complete overview of the personal data processed by your organisation. For each processing, specific information must be kept, such as the lawfulness, purpose limitation, who are processors and how long data may be retained.
What should I do exactly?
The law does not indicate how the register should be organised within your organisation. Only that it should be documented. We suggest to pay attention to the following:
- Select an appropriate form for the register.
Most people are tempted to start with a spreadsheet. But pretty soon you will need more functions and feel the need for specialised tools. Such as WeDoPrivacy.
- Find out how you can check the completeness of the register.
As a privacy officer, you can not assume that everyone will report on their own personal data. Perhaps your colleagues do not always understand that they should report the use of personal data somewhere within the organisation.
We know from experience where to find personal data. Within the random business management processes you will find personal information at:
- Personnel department(recruitment & selection, work-related administrations);
- The ICT department (Facebook book, active directory, ICT service desk);
- Facilities (cameras, complaints handling, visitor registration).
Personal data can also be found on the side of the primary processes. This is of course highly dependent on the type of organisation. Whether you are a private or public organisation, there are always ‘customers’ or ‘stakeholders’ of whom personal data are kept. And don’t forget your employees!
- Assign responsibility for filling the register.
The GDPR does not indicate who should be responsible for filling the register or keeping it up to date. It is therefore logical, especially in larger organisations, to have the register filled in a decentralized manner (for example, one point of contact at HR, one point of contact at ICT, one point of contact within primary process A, et cetera).
It fits the role of privacy officer or the Data Protection Officer (DPO) to check whether the register is filled correctly. And if this is not the case, initiate follow-up actions.
- Think about how you can ensure the accuracy of the register.
Your organisation is changing every day. The moment after your organisation has completed version 1.0 of the register, it is probably already out of date. How do you ensure the accuracy of the register?
The larger your organisation and the more changes, the more challenging it is. In addition to the responsibility for filling the register, you also need to make arrangements with your organisation about keeping the register up-to-date. Having a register is not a ‘project’ that you can complete, it is really a permanent management task.
Checking current events can also be a ‘management task’ for the privacy officer or DPO, but can also be delegated to line management. How often the accuracy should be reviewed depends on the number of changes, but a regular check at least twice a year is recommended for many organisations. You can also set this interval in WeDoPrivacy.
When implementing the register, you should therefore also immediately implement a management procedure in which, for example, the following items are included.
- Who is responsible for updating and checking the registry?
- With what frequency does this take place?
- What are “triggers” for personal data adjustments?
Do not reinvent the wheel. There are always similar organisations that, like you, are struggling with the question about how to set up a register. Why do not you work together? Discuss with each other which set-up has been chosen, where you have all found personal data and how you deal with principles. By cooperating and sharing together you will find a good basis faster. WeDoPrivacy also helps you get started with templates. We have made these templates in practice, at the same organisations as yours.
What you have to record is partly determined by law. To what detail level do you have to record which personal data you are processing? A practical proposal: in any case you will have to do this to the level where there is a difference in the foundations. Further details may always be used, but this must lead to additional control information. In an average system, processing ‘name’, ‘address’ and ‘place of reference’ data has a similar basis, is in the same system and is shared with the same processors. Then there is no need to create separate rows for ‘name’, ‘address’ and ‘place of residence’, but this can be done under one denominator.
The register is never finished. Your organisation is obliged to provide an up-to-date insight into processing. The management of this is crucial. Often new risks are present in new processing operations. A good management procedure is therefore very important. If you put your register in WeDoPrivacy, this management becomes a lot easier.