One of the biggest obligations introduced by the new privacy legislation (GDPR) is that many organisations must keep a register of all personal data processed within their organisation. Collecting this data is a major task in itself, but keeping it up to date and identifying high-risk situations is an even greater challenge.
Privacy management software can support the creation and maintenance of a register by reducing and automating common and repetitive tasks. In this blog, we first want to give you some information about the proper layout of your register: What kind of data do you need? We also explain how you can make a data inventory easier by distinguishing between information about where your data is stored on the one hand and the way the data is subsequently processed on the other hand.
The GDPR requires most organisations that process personal data to record all their processing activities. Article 30 of the GDPR contains an overview of the information that must be kept for these processing activities. However, the term 'processing activity' is not further explained in the GDPR, which leaves the level of detail of the register somewhat in the middle. This means that organisations can decide for themselves how accurate they want to be when registering their processing activities, which can lead to many questions.
In general, it can be said that the register of processing operations must contain information about which personal data are stored by the organisation and how these personal data are used. Making a distinction between systems and processing activities within your organisation can make it easy to map all this out.
The systems represent all places within the organisation where personal data is stored. Examples of systems are applications and databases but also physical storage systems such as file cabinets. Processing activities, on the other hand, include all the ways in which personal data is used in any way within the organisation. Examples of processing are payroll, certain business analyses, recruitment campaigns or sending newsletters. Data is often stored in one place but used in multiple ways, some of which are more risky or legitimate than others. By creating a cross-link between systems and processing activities, your organisation can gain a better insight into these risks.
Software can help you to identify all the systems and processing activities that exist within your organisation. Privacy management software can simplify this for you by offering you inventory forms for both systems and processing activities with a fixed format. These forms can be used as a starting point for the information to be collected and gives users a clear idea of what information they should provide.
In general, a system inventory should contain information about what personal data you have stored. This concerns information about the specific data that is stored but also about the type of storage and the precautions that have been taken. Information must be collected about the location of the storage, who is responsible for the storage and what security measures have been taken to protect the data. It can be useful to start by making an inventory of all the systems within your organisation so that you can make use of them when making an inventory of the processing operations.
An inventory of a processing activity should contain information about what you do with the data you store and in that context should first request information about the systems involved, as these are the sources of the personal data that are being processed. You need to know what personal data is used and stored in each system. In addition, you must collect information about the way in which the data is processed. This concerns information such as; the purpose of the processing, the basis for the processing, the role of your organisation in this processing (are you a controller or processor?) and the retention period.
By making an inventory of all the systems and processing within your organisation, you create a total picture of all the data in your organisation. By applying the method described here, you also get an indication of the data that is collected and stored, but then not processed. This may be an indication that you are not actually using this data.
The idea of a data inventory can be daunting, but it can certainly be made easier by using the available tools. If you have more questions about data inventories or privacy management software, feel free to contact us.