GDPR Register Process Data
The GDPR will introduce a duty on all organisations to maintain a record of processing activities under its responsibility (Article 30)
The Data Processing Register is a register to record all processing activities within your privacy network.
The data entry form for each register entry allows you to record the following:
- Type: The Type of register entry i.e. either a Data Controller or Data Processor
- The status of this entry;
- Under Review
- Pending Action
- Title: e.g. Processing claims form on behalf of Company ABC.
- Details: Describe the purpose of the process and any other details e.g. Identify claims within warranty period.
- Controllers: The name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer.
- Processors: The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer.
- Processing Safegaurds: Describe the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services e.g. Information Security Policy
- Security Measures: Describe the appropriate technical and organisational measures to ensure a level of security appropriate to the risk e.g. Pseudonymisation, Encryption
- Notes: Enter any additional notes.
- Actions: A log of all actions that were generated as part of this entry.
- Data Types: A selectable list of the types of data that this process will handle e.g. Financial Account
- Processing Types: A selectable list of the types of processing used e.g. Accounts
- Data Subject Types: A selectable list of data subjects being processed e.g. Customers
- Data Recipient Types: A selectable list of recipients of this processed data e.g. Suppliers
Additonal Information from the ICO:
What do we need to document under Article 30 of the GDPR?
You must document the following information:
- The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
- The purposes of your processing.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data.
- Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
- Retention schedules.
- A description of your technical and organisational security measures.
Should we document anything else?
As part of your record of processing activities, it can be useful to document (or link to documentation of) other aspects of your compliance with the GDPR and the UK’s Data Protection Bill. Such documentation may include:
- information required for privacy notices, such as:
- the lawful basis for the processing
- the legitimate interests for the processing
- individuals’ rights
- the existence of automated decision-making, including profiling
- the source of the personal data;
- records of consent;
- controller-processor contracts;
- the location of personal data;
- Data Protection Impact Assessment reports;
- records of personal data breaches;
- information required for processing special category data or criminal conviction and offence data under the Data Protection Bill, covering:
- the condition for processing in the Data Protection Bill
- the lawful basis for the processing in the GDPR
- your retention and erasure policy document.
How do we document our processing activities?
- Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is.
- You can find out why personal data is used, who it is shared with and how long it is kept by distributing questionnaires to relevant areas of your organisation, meeting directly with key business functions, and reviewing policies, procedures, contracts and agreements.
- When documenting your findings, the records you keep must be in writing. The information must be documented in a granular and meaningful way.