In connection with the EU General Data Protection Regulation (GDPR), many companies are wondering how to practically implement records of processing activities. The record of processing activities allows companies to make an inventory of the data processing and to have an overview of how personal data is handled. It also helps companies to be compliant with the regulation and avoid penalties.
The record is a document prepared for analysis purpose andallows companies to precisely identify the following:
The records must include an inventory of all the processing implemented by your organization. If the organization is established in the European Union, details about the Data Protection Officer has to be specified. Furthermore, the record's note must include the following details:
The record must be held by controllers or processors so that they can have an overview of all activities of personal data processing they operate. If the organization has a designated data protection officer (DPO), internal or external, they can be in charge of the record. The DPOs responsibilities include updating the records regularly, according to the practical evolution of data processing.
The following are the steps which help the organization to practically implement the records for various processing activities:
Companies should identify and record what personal data is processed by them. They should also have a list of which systems are the data stored. As part of this assessment, the following should be recorded:
This inventory must be carried out in compliance with the records of processing activities mentioned in Article 30 of GDPR.
The data types collected should be assigned to different data categories based on the retention period. Separate categories should be created for data that is processed on behalf of a third-party data controller. This process helps in the easy retrieval of the data when an access request is received by the company.
According to GDPR rules, companies should archive data before deletion in a system that complies with the legal regulations on the storage of data. The duration of the archiving is determined in accordance with the legal provision specified.
The company should regularly check whether all third-party data transfers are documented and whether the corresponding communication channels are functioning properly. The company is also required to specify the data deletion policies and maintain proper data deletion logs for auditing purposes.