Register of Processing activities: from burden to asset

Register of Processing activities, yes, it’s a huge asset for your company

As you most likely already know, on May 25th 2018, the General Data Protection Regulation (GDPR) came into force. You may also know by now that this EU regulation is here and here to stay. The GDPR lays down new rules on how data must be protected, how the processing of personal data must be transparent and more. As recent as last week, the Dutch ‘Autoriteit Persoonsgegevens’ issued a fine of €600.000 to Uber for not disclosing their personal data leak in an appropriate timeframe.

Amongst other requirements the GDPR obligates written documentation and overview of procedures by which personal data are processed. This obligation to create records of processing activities, the so-called: “Register of Processing activities” is not only imposed on the controller and their representative, but also directly on the processor and their representatives. The Register of Processing activities must include significant information about data processing, including data categories, the group of data subjects, the purpose of the processing and the data recipients. To many companies this obligation is seen as a nuisance and an added administrative burden …

Use it as an asset

The processing register is not only a requirement or an obligation. Maintaining a correct and up-to-date register of processing activities has major advantages. A single register gives you insight into the personal data you process, where you outsource the processing and what your processing chain looks like. This makes it easy to identify those processing activities which may incur higher risk and therefore need more organizational or technical safeguards. The register also makes it easy for you to find information if you receive questions from your customers/employees or other subjects you process data of. Finally, you know who to contact in the unlikely event of a data incident.
In one sentence, it allows you to showcase your best effort to GDPR compliance to an auditor or in case of a court case.

Do you have questions about setting up a register of processing activities or Privacy (GDPR) and ICT Law in general? Contact Ingrid. ?