April 9, 2018
The GDPR (General Data Protection Regulation) is a new European law on data privacy. The GDPR applies to organizations located within the EU, organizations that offer goods or services to, or monitor behavior of, EU data subjects. It applies to all companies processing and holding the personal data of EU residents, regardless of the company’s location.
In this article, we focus on what “records of processing activities” are, what you need to include as a controller and as a processor, and how to easily create and maintain your records of data processing activities.
Before heading to the records of data processing activities, let’s first review who is a ‘controller’ and a ‘processor’ according to the GDPR. GDPR requires responsibility not only from the controller but also from involved processors. If you are not sure which category you belong to, here are the official definitions of a data processor and a data controller:
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”
(Article 4, Definitions)
For example, if you are a retailer that collects your clients’ information and you use a mailing tool to send newsletters to them, you would be a ‘controller’ and the company that operates your cloud-based mailing tool is a ‘processor’.Your customers are ‘data subjects’ and their email addresses are ‘personal data’. Storing the email addresses in a database or cloud tool is a “processing activity”. Sending emails is another “processing activity”.
Records of processing activities are basically a document that provides a complete overview of all data processing activities within your organization. As part of the GDPR (General Data Protection Regulation), art. 30 states that both controllers and processors shall maintain records of processing activities:
Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
a. the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
b. the purposes of the processing;
c. a description of the categories of data subjects and of the categories of personal data;
d. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
e. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
f. where possible, the envisaged time limits for erasure of the different categories of data;
g. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
a. the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
b. the categories of processing carried out on behalf of each controller;
c. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
d. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
(Article 30 GDPR, Records of processing activities)
Controllers and processors need to make the records available to the supervisory authority on request.
Records should be kept in a centralised manner. The easiest way to create your register of processing activities is to use a proper tool that can cover all the required topics, provide a comprehensive overview and is easy to maintain. This document is also referred to as the “Data Register”.
The Belgian Data Protection Authority (DPA) has published an excel template of the Register of processing activities. Based on this template, Blendr.io built a user-friendly online Data Register, so companies and organizations can easily create and maintain their records of processing activities.
The Data Register answers all the requirements stated in art. 30 of GDPR and provides examples of categories of personal data, purposes of processing, categories of data subjects etc., so you can easily select what is applicable to your company.
The Blendr.io Data Register step-by-step approach, takes you through all the required points to gather essential information. You simply need to fill in and select the required fields. Maintain your Data Register online and export it anytime as an Excel or PDF document. The tool is available in English, Dutch and French.