If you embarked on a journey to try to identify data processing activities in your Organization, the good news is, you have taken the right direction in building your GDPR compliant Privacy program.
However, the identification of data processing is not a one-time task, rather an ongoing activity.
Since organizations are like living organisms, with different organizational units creating new products and services, change partners and vendors, and IT systems evolving constantly.
A part of organizational culture should be reporting to the DPO when data processing is involved. As a Data Protection Officer, you have to get acquainted with the way your organization or business consumes data and have a clear overview of data processing.
To help you create a GDPR- positive environment in your organization, we have put together 4 steps for Data Protection Officer or a Privacy program leader that should be done to successfully identify and record the processing of personal data.
1. Define privacy responsibilities
The division of responsibilities should be the first task to tackle.
With an executive management Privacy program, sponsor and a clear Privacy vision and mission statement in place, privacy responsibilities can be defined.
If you want to learn more about how to divide responsibilities between different roles and different departments? What is the role of the DPO in this process? Where does the DPO fit in? How to implement a privacy program? Read our blog:
Every processing activity should have a defined owner responsible for recording and updating privacy information and technical details about the activity.
The definition of ownership will depend on the chosen privacy governance model. However, it is recommended that an owner is a person involved in the business decisions around the processing.
For example, a marketing manager should be responsible for updating the records of processing for marketing purposes, like marketing campaigns, visitor tracking, newsletters, etc.
Data Protection Officer can schedule a regular process of updating the records of processing for marketing and assign it to the Marketing Manager.
The Marketing Manager will then collect all the needed information from the employees working in the marketing department and update the records.
This approach allows for the distribution of work and segregation of duties between the Privacy professional and Business owners.
2. Work closely with different organizational units
When responsibilities have been assigned, it is essential to keep on working closely with different business units through cooperation with the stakeholders.
The Data Protection Officer needs to have internal partners, such as marketing, human resources (HR), legal, risk management, security, and IT.
Depending on your organization’s industry and business, the corporate culture of your organization and the personalities of the various members of your management team; the executive managers, and internal partners will each have some level of involvement.
For the Data Protection Officer, working closely with stakeholders should include:
• Becoming aware of how different stakeholders treat and view personal information
• Understanding their use of the data in a business context (purpose)
• Assisting with embedding privacy requirements into their ongoing projects to help reduce risk
• Offering solutions to reduce the risk of personal information exposure
• Creating and distributing surveys and scheduling tasks for updating processing activity records
3. Educate and provide advice
Training of employees in privacy-related matters should be an obligatory part of the Privacy program.
While it is not necessary for the Data Protection Officer to conduct the training, he or she should be responsible for its organization and development.
Training should include the instructions on recording and updating the records of processing activities and responding to surveys about the processing.
Training should also help understand the importance of privacy and why it is crucial to have correct and up to date records of processing.
Employees will sometimes have uncertainties about what information should be included in the records, and it is important that the DPO can help clear them out.
For this reason, it is crucial to have a tool enabling efficient privacy collaboration between the DPO and other privacy stakeholders.
4. Monitor progress
Creating executive reports on the status of privacy, including the risks, should be one of the outputs of the Privacy program.
These reports should include information about the status of the discovery process.
Ideally, with a program in place, all data processing should be identified and governed by updating the information regularly.
The Data Protection Officer should monitor the progress and be notified about the identification of new processing activities, or new information on existing processing.
DPO should also schedule tasks for stakeholders and assist them in achieving their goals.
Help will include advising and resolving the disputes created by collecting contradictory information.
How to create and maintain a data processing inventory?
Your data processing inventory has to be up-to-date with your Organizations data processing. It should not just be a list of records containing information mandated by the regulation, as it can be out of sync with the real processing.
This is most easily done by using a specialized Data Privacy software that provides functionalities for effective collaboration and built-in intelligence to record privacy-related information and integrate them with other systems and data.
The most common method of creating a data processing inventory is to create records of processing activities in an Excel spreadsheet, and there is a lot of free and well-structured templates available on the Internet for GDPR Article 30 record keeping.
It should be noted that the GDPR only specifies the information that an organization needs to record, not the structure and format for maintaining the records.
Excel can only be a good place to start with the record-keeping for small and medium companies. However, in the long run, a centralized inventory should be created and integrated with the Organization’s systems and data.
We have compared data privacy software and Excel spreadsheet for keeping the records of processing activities, so we encourage you to read:
The complexity of the data inventory will depend on:
• size of the Organization,
• number of stakeholders,
• volume of personal data the Organization is processing,
• maturity of the Privacy program
Nevertheless, the GDPR also demands the implementation of defined policies in accordance with the principles of data protection.
This means that all information from the Records needs to be aligned with business processes and IT systems, and all policies should be applied to the information contained in those IT systems.
One problem with keeping the data processing inventory in Excel is that there are no automated actions applied to the data or processes in case anything important changes in the records.
For example, there will be:
• no notifications when there is a new third party added to the processing;
• no actions if a data retention period has changed or expired;
• no automated tasks for stakeholders in case the risk for processing activity is high or critical, etc.
Let us compare your Privacy program to a Moon landing program. The Data Protection Officer is the mission control manager, the stakeholders responsible for data processing are the astronauts and data processing is like flying to the Moon.
Records of processing in Excel would then be like waiting for the astronauts to return before knowing anything about the mission. There would be no way for mission control to know if anything is wrong with the flight in time to help.
Don’t let your data get lost in space.