I am sure you are fully aware about the General Data Protection Regulation (GDPR) entering into force in a few weeks. And I'm sure you also have started to work on the requirements specific to your business. Having a good record of processing activities is extremely important, especially in terms of accountability. Do you have your record in order? If so, congratulations - if not, then you need to read this post, which includes some precious tips for you for a successful implementation.
On May 25th, 2018, the EU General Data Protection Regulation will also apply on many Swiss enterprises. Two essential points of the European data protection law are the right of access to information and transparency towards individuals. The record of processing activities is fundamental in the implementation and is explicitly required in article 30. enterprises employing less than 250 people are exempted from this requirement – albeit with some exceptions.
The mentioned article dictates that each enterprise must keep a register of all processing activities performed under its responsibility. In addition, it is required that reasonable organisational and technical controls are introduced, to guarantee an appropriate level of protection. As examples, the GDPR mentions encryption, pseudonymisation or other controls that ensure confidentiality, integrity and availability.
So is it just old wine in new skins? In fact, it is because it doesn't matter if we talk about IT security, cyber security or data protection: your crown jewels, as well as person-related data, need the right protection. And the best way to achieve this is by answering the following four questions:
Are you wondering what does this have to do with data protection, in particular with the preparation for the GDPR? It's simple: in order to prepare the register correctly, you need to know what person-related data are processed in which systems, what risks do they run, and what controls should you implement to protect these data.
It is important that the register is not just created once, and then forgotten. It must be continuously cared for since processing activities can change in time – even those that relate to personal data. According to the GDPR, the following aspects fall under the definition of "processing activities":
Due to the size of the register, a simple table calculation is no longer enough. The register must provide information on the following points:
To avoid needless duplication of documents, it is possible to link existing documents into the register of processing activities. However, it must be remembered that in case of need, these documents must be also made available to the supervisory authority. And also, it makes sense to match the Register with other inventory-keeping applications (CMDB – Configuration Management Data Base, process documentation, risk register etc.).
As you see, there's a lot to do. And data protection documents are not exactly among the most beloved duties in enterprises. But don't worry: we've put together a practical guideline. It will support you with precious suggestions in the development and care for the GDPR-compliant register of processing activities. Because documentation is the alpha and omega of GDPR-preparedness: so get busy with it right away!
You have to take further measures for the GDPR apart from the processing list? Don't worry, we are happy to assist you. Our whitepaper on GDPR readiness includes all the important changes and gets you practical tips for implementation. Click here for the free download:
You are already a step ahead? Awesome! Then you can devote yourself intensively on your processing directory. In our free GDPR guideline you receive valuable tips from our experts for practical implementation. Why? Because the documentation is the alpha and the omega of GDPR. Just click on the blue butten right here and benefit from the free template "GDPR processing directory guidline"