Register for processing activities under the new GDPR?
At this moment, now that the Dutch Personal Data Protection Act still applies, the processing of personal data must in principle be notified to the Dutch Data Protection Authority (DPA). Because in practically all organizations in our country personal process data are every day continually being processed it would be unfeasible to notify all these processing activities to the DPA each time and for that reason the legislator decided that quite a few processing activities that are frequently carried out will be exempted from the notification duty. On Friday 25 May 2018 the European General Data Protection Regulation (GDPR) will come into force and replace the current Data Protection Act. From that moment the notification duty will also cease to exist. Instead thereof viewed from the principle of accountability your organization must show that it complies with the GDPR. Within that scope a registration duty has been added to the GDPR.
In the blog of 31 May 2017 we gave you 10 tips to get your organization ready for the European General Data Protection Regulation (GDPR). In this blog I will explain in more detail tip 5: check whether your organization must draw up and keep a register for processing.
Before a register for processing activities can be drawn up it is of importance that within your organization you map out all data processing and data streaming from and to your organization. This is also called ‘data mapping’. Data mapping often helps to gain more insight into the data processing of your organization. Data mapping therefore contributes to a better basis for compliance.
In this regard it is important if not only so called ‘structured data’ are focussed on, which means personal data of which you know that they are being collected and where, but also ‘unstructured data’. This last category involves personal data which are hidden in for example outlook folders or a P-drive on the computer. Also those personal data fall under the GDPR and therefore also under the registration duty, so that those personal data must also be mapped. Most likely part of the information that must be entered into the register and which I will mention hereinafter will be already at hand within your organization. For example a data base with client data, a personnel administration, existing policy on retention periods, audits, IT-security reports et cetera. By properly data mapping you will already gain a good insight in all current processing of personal data.
The GDPR stipulates that the controller must keep a register of the processing activities that are carried out under his responsibility. The current notification requirement then ceases to exist. The only notification requirement that remains is the one for intended processing with an increased risk.
Apart from the controller also the processor (at this moment still called operator) must keep a register of all categories of processing of personal data which the processor carries out on behalf of the controller.
The obligation of the controller and/or the processor to keep a register of processing does not apply to a controller or processor who has less than 250 staff members, unless it is likely that the processing they perform is risky as far as the privacy of the data subjects is concerned or if it is about structural processing or processing of personal data that are special or relating to criminal convictions. Special personal data are data about someone’s race and ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, medical and biometrical data and sexual orientation.
The controller and the processor must both keep a processing register, however, what they have to put into it varies.
Per processing activity the controller must enter the following into the register:
- Name and contact data of the controller and possibly joint controllers and, if present, of the Data Protection Officer. In the blog of 1 November 2017 Vivenne Verlinden answered the question when a Data Protection Officer must be appointed;
- The purposes for the processing of the personal data;
- A description of the categories of the data subjects and of the categories of personal data;
- The (intended) categories of recipients;
- Possible pass on of personal data to a third country or an international organization, including the indication of the concerning country or organization;
- The (intended) retention periods;
- A general description of the technical and organizational security measures that have been taken;
- Even though it is not compulsory it is advisable to also enter into the register the basis/bases for the processing in the register. Is there for example permission from the data subject and/or possible other bases?
As per processing activity the processor must enter into the register the following:
- Name and contact data of the processor(s), controller(s) and, if present, the Data Protection Officer; (‘kennis-delen//blog/moet-ik-een-functionars-voor-gegevensbescherming-aanstellen-op grond-van-de-avg);
- The categories of processing that are carried out by each controller;
- Possible passing on of personal data to a third country or international organization, including the indication of the concerning country or organization;
- A general description of the technical and organizational security measures that have been taken.
Awareness seems to be the magic word around privacy and protection of personal data and the compliance of an organization in that field. For that reason it is of importance that within the direction and the management of your organization there is support for setting up a processing register.
Apart from that it is important that within the organization time and money are allocated to the setting up of such a register, of which a realistic estimation should be made .
The register must be set up in writing, inter alia in electronic form. With setting up a register your task is not yet finished; the next issue will be the regular update of the register. Therefore it is of importance that within the organization it is thought about who will set up the register and maintain it. Questions that have to be asked within that scope are which persons within your organization must process personal data because of their position (for example HR, IT, marketing et cetera). A procedure will have to be set up for keeping the register up to date, where questions must be asked such as (i) who is responsible for updating the register, as to its contents but also functionally), (ii) who is responsible for the modification of procedures, data streams et cetera, (iii) who will adapt personal data, (iv) with which frequency will data be adapted and so forth.