Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

4 Steps for Identifying Data Processing Activities

4 Steps For Identifying Data Processing Activities

If you embarked on a journey to identify data processing activities in your organization, the good news is you have taken the right direction in building your GDPR-compliant privacy program.

However, the identification of data processing is not a one-time task but rather an ongoing activity since organizations are like living organisms, with different organizational units creating new products and services, changing partners and vendors, and evolving IT systems.

A part of organizational culture should be reporting to the DPO when data processing is involved. The Data Protection Officer should know how an organization or business consumes data and have a clear overview of data processing.

To help you create a GDPR-positive environment in your organization, we have put together four steps for a DPO or a privacy program leader that should be done to identify and record the processing of personal data successfully.

1. Define Privacy Responsibilities

The division of responsibilities should be the first task to tackle.

Privacy responsibilities can be defined with an executive management privacy program, sponsor, and a clear vision and mission statement.

Every processing activity should have a defined owner responsible for recording and updating privacy information and technical details about the activity.

The definition of ownership will depend on the chosen privacy governance model. However, it is recommended that an owner is involved in the business decisions around the processing.

For example, a marketing manager should be responsible for updating records of processing for marketing purposes, like marketing campaigns, visitor tracking, or newsletters.

The Data Protection Officer can schedule a regular process of updating the records of processing for marketing and assign it to the marketing manager.

The marketing manager will then collect all the needed information from the employees working in the marketing department and update the records.

Steps for Identifying Data Processing Activities

This approach allows for work distribution and duties segregation between the Privacy professional and Business owners.

2. Work Closely With Different Organizational Units

When responsibilities have been assigned, it is essential to keep working closely with different business units through cooperation with the stakeholders.

DPO needs internal partners, such as marketing, human resources (HR), legal, risk management, security, and IT.

Depending on your organization’s industry and business, the corporate culture of your organization, and the personalities of the various members of your management team, the executive managers and internal partners will each have some level of involvement.

For the DPO, working closely with stakeholders should include:

  • Becoming aware of how different stakeholders treat and view personal information
  • Understanding their use of the data in a business context (purpose)
  • Assisting with embedding privacy requirements into their ongoing projects to help reduce risk
  • Offering solutions to reduce the risk of personal information exposure
  • Creating and distributing surveys and scheduling tasks for updating processing activity records

DPO tasks for Identifying Data Processing Activities

3. Educate and Provide Advice

Training of employees in privacy-related matters should be an obligatory part of the Privacy program.

While it is not necessary for the DPO to conduct the training, he or she should be responsible for its organization and development.

Training should include instructions on recording and updating the records of processing activities and responding to surveys about the processing.

Training should also help understand the importance of privacy and why it is crucial to have correct and up-to-date records of processing.

Employees will sometimes have uncertainties about what information should be included in the records, and it is important that the DPO can help clear them out.

For this reason, it is crucial to have a tool enabling efficient privacy collaboration between the DPO and other privacy stakeholders.

DPO education and training for identifying data processing inventory

4. Monitor progress

Creating executive reports on the status of privacy, including the risks, should be one of the outputs of the Privacy program and should include information about the status of the discovery process.

Ideally, with a program in place, all data processing should be identified and governed by updating the information regularly.

The DPO should monitor the progress and be notified about the identification of new processing activities or new information on existing processing.

DPO should also schedule tasks for stakeholders and assist them in achieving their goals.

Help will include advising and resolving the disputes created by collecting contradictory information.

Steps for Identifying Data Processing Activities. Steps for monitoring compliance program

How to create and maintain compliant ROPA

Your data processing inventory has to be up-to-date with your organization’s data processing. It should not just be a list of records containing information mandated by the regulation, as it can be out of sync with the real processing.

This is most easily done using specialized Data Privacy software that provides functionalities for effective collaboration and built-in intelligence to record privacy-related information and integrate it with other systems and data.

The most common method of creating a data processing inventory is to create ROPA in an Excel spreadsheet, and there are a lot of free and well-structured templates available on the internet for record-keeping for GDPR Article 30.

It should be noted that the GDPR only specifies the information that an organization needs to record, not the structure and format for maintaining the records.

Excel can only be a good place to start with record-keeping for small and medium companies.  However, a centralized inventory should be created and integrated with the organization’s systems and data in the long run.

The complexity of the data inventory will depend on the following:

  • Size of the organization,
  • Number of stakeholders,
  • The volume of personal data the organization is processing,
  • Maturity of the privacy program

Nevertheless, the GDPR also demands the implementation of defined policies in accordance with the principles of data protection.

This means that all information from the Records needs to be aligned with business processes and IT systems, and all policies should be applied to the information contained in those IT systems.

One problem with keeping ROPA in Excel is that no automated actions are applied to the data or processes in case anything important changes in the records.

For example, there will be:

  • No notifications when there is a new third party added to the processing;
  • No actions if a data retention period has changed or expired;
  • No automated tasks for stakeholders in case the risk for processing activity is high or critical, etc.

If we compare your Privacy program to a Moon landing program. The DPO is the mission control manager, the stakeholders responsible for data processing are the astronauts, and data processing is like flying to the Moon.

Records of processing in Excel would be like waiting for the astronauts to return before knowing anything about the mission. There would be no way for mission control to know if anything is wrong with the flight in time to help.

That is why it is so important to get control over personal data processing, keep an up-to-date inventory of the processing activities, and a tool that enables different organizational units to communicate and collaborate.

Find out how Data Privacy Manager can help you accelerate your privacy program:

Acceleration of privacy program

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top