Kickstart your privacy administration with Privacy Nexus

Under the GDPR, almost every organization that processes personal data in a structural way is required to keep privacy records. No distinction is made here between different sectors. Of course, each sector does have its own challenges. In this E-guide, we discuss a few challenges and give you tips on how to solve them with the help of Privacy Nexus.

How do you retrieve all relevant information from your organization?

Because there are many complex and very specific activities taking place within an organization, it is quite a challenge for the Privacy Officer to retrieve all relevant information and record it in a processing register. For example, how do you find out which personal data is being used and to which agencies it is being forwarded?  Privacy Nexus makes it easy to divide the work within the organization. You can assign responsibilities to colleagues. And colleagues can find them on their personal homepage. By assigning access levels, you can ensure that colleagues only see the parts of the software that are relevant to them. That way they see what they need and don't get lost in the information. The Privacy Officer keeps an overview of the status of the progress and gains insight into the risks.

How do you ensure that all information is returned in the right format?

When you have to collect information from many different people you will often get a wide variety of responses. Even when you set up a standard questionnaire, one person will answer these questions in great detail where another will get no further than 'we process personal data'.  By using Privacy Nexus you can not only automate the questionnaire but also ensure that everyone provides the same type of input. Privacy Nexus uses closed questions as much as possible. This makes it a lot easier to provide the right information and reduces the chance of providing irrelevant information. For example, for the question "What personal data do you process?" you make a selection from a list of pre-defined personal data. This prevents general meaningless answers like 'personal data' and also allows you to filter your processing on a specific type of personal data (e.g., 'date of birth').

How do you know whether or not you need to conduct a DPIA?

With all that personal data, there may be a processing that poses such a risk to data subjects that a DPIA needs to be conducted. Conducting a DPIA is often seen as a difficult undertaking that takes a lot of time.  Privacy Nexus helps you with this by assessing for each processing whether a DPIA is recommended. So the person answering the questions does not have to make this assessment himself. It is then clear at a glance for which processing operations a DPIA is recommended. When a DPIA is recommended, you can carry it out with the DPIA module, in which we again use closed questions as much as possible. The latter ensures that the person who filled out the questionnaire for the associated processing can also help collect some of the information to conduct the DPIA. By then linking the DPIA to the relevant processing from the processing register, you easily demonstrate that you have complied with the DPIA obligation for all high-risk processing.

How do you ensure that you can still collect information centrally even in a decentralized organization?

Within an organization, there is often a complex organizational structure in which many things are arranged and take place decentrally. On the one hand, there may be very specific processing activities taking place within a certain department or location, and on the other hand there is a large number of processing activities taking place at all of them. In addition, much of the processing will be done using the same systems (software). You want to prevent multiple people from spending time collecting and entering the same information, so that, for example, the processing 'customer dossier management' is entered separately by multiple departments. Privacy Nexus makes it very easy to record all information centrally and still maintain an overview per department. You do this by defining the organizational structure of your organization in Privacy Nexus. The different parts of your privacy administration, such as processing, DPIAs and data breaches, can then be linked to the different parts of the corporate structure. This way you still create a clear overview per department that you can easily filter by.