In connection with the EU General Data Protection Regulation (GDPR), many companies are wondering how to practically implement records of processing activities. The record of processing activities allows companies to make an inventory of the data processing and to have an overview of how personal data is handled. It also helps companies to be compliant with the regulation and avoid penalties.
The record is a document prepared for analysis purpose and allows companies to precisely identify the following:
- The actors involved in data processing;
- The categories of data processed;
- The purpose of the processing;
- Duration of retaining the personal data;
- Security measures implemented to protect the data.
What Does the Records Include?
The records must include an inventory of all the processing implemented by your organization. If the organization is established in the European Union, details about the Data Protection Officer has to be specified. Furthermore, the record’s note must include the following details:
- The name and contact details of the processing supervisor;
- The details of the third-party vendors with whom the data have been shared;
- The period provided for the erasure of data;
- The reason why data is collected.
Who Safeguards and Maintains the Records?
The record must be held by controllers or processors so that they can have an overview of all activities of personal data processing they operate. If the organization has a designated data protection officer (DPO), internal or external, they can be in charge of the record. The DPOs responsibilities include updating the records regularly, according to the practical evolution of data processing.
How to Practically Implement Records of Processing Activities?
The following are the steps which help the organization to practically implement the records for various processing activities:
Identify Personal Data Held by the Company
Companies should identify and record what personal data is processed by them. They should also have a list of which systems are the data stored. As part of this assessment, the following should be recorded:
- the type of data;
- the duration for which this data is directly required for a business transaction;
- on which system is the data stored;
- information about the data source.
This inventory must be carried out in compliance with the records of processing activities mentioned in Article 30 of GDPR.
Classify Data into Categories
The data types collected should be assigned to different data categories based on the retention period. Separate categories should be created for data that is processed on behalf of a third-party data controller. This process helps in the easy retrieval of the data when an access request is received by the company.
According to GDPR rules, companies should archive data before deletion in a system that complies with the legal regulations on the storage of data. The duration of the archiving is determined in accordance with the legal provision specified.
Maintain and Define Policies
The company should regularly check whether all third-party data transfers are documented and whether the corresponding communication channels are functioning properly. The company is also required to specify the data deletion policies and maintain proper data deletion logs for auditing purposes.