To keep a register of processing activities is a new corporate responsibility, set out in Article 30 of GDPR, which implies a clear and complete overview of all processing activities taking place within an organisation, and their consequent documentation. This process will require proactive collaboration by organisations.
Data controllers shall be responsible for keeping up-to-date records of all processing activities taking place within the organisation.
The records shall contain the following information:
- The name and contact details of the controller and, where appropriate, of the processor;
- The purposes of the processing;
- A description of the categories of data subjects and of the categories of personal data;
- The categories of recipient to whom the personal data have been or will be sent, including recipients in third countries or international organisations;
- Transfers of personal data to a third country or international organisation, including documentation of appropriate safeguards;
time limits for the deletion of different categories of data;
- Time limits for the deletion of different categories of data;
- An overview of the technical and organisational measures implemented.
According to GDPR, it is not compulsory when the company has less than 250 workers.
However, there are some exceptions. If an enterprise has fewer than 250 employees, it is always mandatory, no matter how many employees, to keep a record of processing activities, if the data processed:
- Is likely to present a risk to the rights and freedoms of the data subjects
- Is related to convictions and criminal offences
- On a non-occasional basis, includes special categories of personal data (indicated in article 9 of GDPR)
- Racial or ethnic origin
- Political opinion
- Religious or philosophical beliefs
- Union membership
- Processing of genetic data
- Biometric data aimed at uniquely identifying a natural person
- Data concerning health or data concerning the sexual life or sexual orientations of a natural person
The record of processing activities must always be in electronic format. However, it is also valid in written format & must always be up to date.
The record will provide an overview of all data processing activities within the organisation and therefore allow organisations to control what type of data categories are being processed, by whom (which departments or business units) and for what underlying purposes. This knowledge will allow organisations to make internal connections, join efforts or projects with the same or equivalent objectives and/or challenges and result in greater control over data processing activities. This will provide insight into risks and necessary mitigation actions, and will inevitably empower organisations to do more – and in a well-ordered way – with the personal data available.
Any successful data protection program starts with understanding what kind of data a company collects, stores, processes, shares and disposes of.
Having a visual element such as a data map allows you to have an overview of what data the company handles and whether it is transferred from one location to another either internally or externally.
In addition, the data visualisation will help employees to easily follow the personal data flows in the organisation and managers to have full control of all data.
A data map visually shows the processing activities, i.e. the data that a company is processing, and to whom it is communicating (the recipients).
These processing activities must be predefined in order to comply with the requirements of art. 30 of GDPR. This article indicates that each data controller must keep a record of the processing activities.
A comprehensive data flow map to help ensure GDPR compliance will show all the data that exists in the company and where it is moving in and out of the company. When data mapping for GDPR make sure to include the following:
- What data is being handled, is it sensitive data or not?
- Where is the data stored?
- Where does the data go?