The record of processing activities
Establishing a record of processing activities
On 25 May 2018, the transition period for the implementation of the GDPR ends and compliance with its stipulations becomes legally mandatory. This also means that data processing operations must satisfy the provisions laid out in the GDPR. The first challenge you will come across and thus the first step in creating a legally sound compliance system in terms of data privacy will be to draw up records of all processing activities.
Such records of processing activities are intended to enable the supervisory authority to review the respective processing operations. For this reason, such records must contain information on all data processing activities of your company. It is thus necessary to identify all data processing operations, document them in a written or electronic format and finally make them available in a concise way in your records of processing activities.
Data mapping – determining the data
Use the following questions to get an overview of the data processing operations performed in your company and in order to be able to establish an exhaustive and up-to-date record of processing activities. These questions will help you to identify the essential components of the said record.
Whose personal data do you need? Depending on the company you work for and your department, you might come across data of applicants, employees, suppliers, shippers, consumers, prospective and existing customers, contact persons at companies you cooperate with, third parties acting as facilitators for your business relationships with other companies, the company’s bodies (and their members) and other function holders of legal entities, etc.
For what purpose do you need the data? First, think about why you need the personal data. Do you, for example, work in the logistics or accounting department and need the data for maintaining business relationships with customers? Or do you work in the HR department and need data for payroll accounting as well as for fulfilling record-keeping and reporting requirements and obligations to provide information? Or are you part of the marketing department of your company and use your company’s or purchased customer and prospect data to initiate business with regard to your range of products and services?
What data do you use? Depending on the natural persons from whom you collect data and the purpose of the collection, various kinds of data may be included. If you, for example, collect data for managing customer satisfaction or business relationships with customers, you will most probably deal with customer data including the name of the customer, the name of the contact person acting for the customer, the internal customer number, address data (e.g. place of establishment), contact data (email address, fax number, telephone number), etc. If you work in the HR department, you will mostly deal with employee or applicant data concerning, for example, personal data (name, address, date of birth) or the employment relationship (full-time/part-time, salary, length of service, supervisor, responsibilities within the company).
How do you collect the data? Finally, you will have to deal with the question of how to obtain the data from the data subjects. Does your company, for example, operate an online shop where the customer can buy goods online? In that case, you will most probably need the customer data in order to ship the goods to the customer’s place. Otherwise, you will not be able to meet the obligations arising from the contract with the customer. Or do you work in the HR department and need data from new employees in order to report the employment status to the social insurance provider? In such a case, data is necessary for you to fulfil the company’s legal obligations.