How do you keep a data processing register that complies with the RGPD?
The General Data Protection Regulation (or GDPR) will come into force on 25 May 2018, and will apply to all public bodies and private companies carrying out large-scale processing of personal data.
It introduces the principle of accountability, meaning that each player must be able to demonstrate, at any time, the compliance of its processing activities with the applicable regulations, hence the need to keep a register of processing. This is one of the main obligations for complying with the RGPD.
SUMMARY :
Who is required to keep a data processing register?
All companies and public bodies with more than 250 employees are affected by the RGPD and are obliged to keep a data processing register.
However, companies with fewer than 250 employees are also affected, and must draw up a processing register when one of the following situations applies:
- The processing is likely to involve a risk to the rights and freedoms of data subjects (processing giving rise to discrimination, revealing racial origin, etc.);
- The processing is routine (personnel management (HR), supplier management or customer management, which are not carried out occasionally);
- The processing relates to special categories of data, known as "sensitive data" (data concerning racial or ethnic origin, religion or belief, political or any other opinion, health, etc.);
- The processing carried out relates to judicial data.
The regulations specify that the absence of a Data Protection Officer (DPO) does not exempt the organisation from keeping a register of processing operations.
The new regulation also requires personal data processors to keep a processing register.
What must a processing register contain?
The information contained in the register of processing operations must answer the following questions: Who?
- Who: the data controller's personal data,
- Why are they being processed? This is a description of the purpose of the data processing,
- What data? The various categories of data subjects and data processed,
- Where: this involves locating the data and specifying its recipients,
- Until when? The planned destruction deadlines must be defined,
- How? This involves describing the technical and organisational security measures to be put in place to protect the data.
As there is no list of the exact elements that must appear in a processing register, it is possible to add other complementary elements, such as the need for an impact analysis, a record of data breaches, etc.
Example of a data processing register with CaptainDPO
CaptainDPO publishes a SaaS software solution to help DPOs manage their organisation's compliance with the RGPD.
- A list of the various processing operations is presented,
- The data controllers,
- the company,
- The status of each processing operation (In progress - Compliant - Non-compliant).
CaptainDPO will enable you to find out where you are not compliant so that you can take the necessary action by creating tasks and ensuring compliance.
Details of each treatment are also available:
- An overall description of the treatment,
- The person responsible for the processing,
- The purpose of the processing,
- The security measures used to protect the data,
- The category of data processed,
- The location of the data (in the event of data being transferred outside the EU).
Multi-registry management is now integrated into CaptainDPO for external DPOs.
Penalties for non-compliance with this obligation
Failure to comply with the obligation to keep a register of processing operations or to carry out an impact assessment prior to processing personal data can result in severe penalties.
The fine may amount to 2% of the company's worldwide turnover or €10 million. The higher amount will be imposed.
Article translated from French