As the enforcement of General Data Protection Regulation (GDPR) approaches, Records of Processing Activities (RPAs) is a term that is being thrown around quite a bit. It is also referred to as Procedure Index, Data Mapping, Data Flows among others. It is what data protection authorities will need evidence for after May 2018. It is a daunting prospect for most companies since only 34% of the companies (vpnMentor, 2018) are on their way to compliance so far. To make it easier on you all, we are going to outline all the steps to keep your records of processing activities ready for authorities:
Think of all the functionalities you have in your company. The departments are not always divided clearly especially if you are a start-up: chances are you don’t really have organised departments. So take a moment, and think of all your functionalities and organise them in a detailed manner so that every activity that you do is put in a department.
This includes name of your company, the contact details of the person, usually the company’s Managing Director or Chief Executive Officer (CEO).
You need to decide how you want to manage all the documents together. Do you want to use Google docs and keep them all in a drive? Or do you want to make folders on your internal company network and use Microsoft Office? Or would you like a Task Management Software for GDPR? It is important that you pick an option and then stick to it since there will be lots of documents that you would need access to. Keep them in one place so finding them is not a hassle.
Visualize of all the departments in your company that utilise data in one way or another. For instance, Sales and Marketing, Product Development and Finance Department. Are these departments using any user data you obtain in any way? Make a list of these departments.
Imagine all the people who mostly manage the data related activities in each department. Make a list of all these people. It is important that the person you pick knows very well what the department does with the data and can answer questions relating to all such department activities. The person you pick does not necessarily need to be the Head of the Department but rather the one who knows the most about activities related to personal data.
Combine the two lists so that you have the name of the department and the corresponding contact person of the department.
Ideally, you need to appoint one person for your company who will act as the Data Protection Officer. This person can be anyone from your company and would later need some training or would need to read the law or at least have a functional understanding of it. Ideally, this could be your Chief Operations Officer or Head of Legal. Usually, DPO is the personal also leading the records of processing activities.
In order to officially appoint the chosen person as your DPO, you need to sign a document with them. Outlining their responsibilities and the purpose of the role in line with the Article 37 of the GDPR. Our tool provides you with the document that you can then download and request a signature for.
So ideally, each department should record the activity that uses data in any way. For instance, exchanging business cards would be one activity in the Marketing Department. Personnel Holiday Planning would be another one for the Human Resources
This is the tedious long-term task that has no short-cuts. You need to go step by step and define this activity. There are a few important points that you need to write down for each of these activities. Theses activities collectively are called records of processing activities. Let’s go over these points one by one.
This would include what the activity is and who is the contact person responsible for the activity. For example, IT for Employees and someone in the IT department would be responsible for it.
The GDPR states that you have to explicitly mention how this activity is aligned with the overarching purpose or vision of your company. If it uses personal data of people, you need to show the legal justification of how you are obtaining this data from people: is it through consent for instance? Or a processing of a contract? This is the most critical part of records of processing activities since people confuse the legal basis while adding their processing activities.
In this part, answer the question if you collect Personally Identifiable Information like name, email address, band details etc. If you do, where do you collect it and do you explicitly ask for consent before you get the information? Do you give this data to third parties? If yes, who are they and what do they do?
Whose Data is this? Is it customers, clients, employees or partners? And what is it? Names, email addresses, bank details are some examples.
This is the straightforward part if your processes for this are defined. Unfortunately, most companies do not have processes for this kind of thing. It includes how long you store the data for? What is the exact location of this storage? And when do you delete it?
The final step of records of processing activities is to reorganize all this information from different departments and people, consolidate it, make sure you are not missing an activity or details of it and put it all together in one place for the authorities.
Ecomply.io allows you to create one-click reports, provides you with all the templates as well as guidance on what information to put into the different gaps. Our Task Management Tool is based on the legal requirements of the GDPR to ensure that the guidance actually helps you understand what to do.
If you would like to check out our platform, book a free demo now.
by Hauke Holtkamp