A quality record of processing activities lays the foundation for a successful route towards GDPR accountability. Simultaneously it requires a properly structured approach including SMART formulated purposes. Without this SMART formulation, the correct execution of most of the GDPR’s mandatory privacy activities is going to be an impossible objective to realise and will position you on the sidelines of doing business.
If your organisation employs more than 250 people, maintaining a record of processing activities is a categorical GDPR requirement. If your organisation employs fewer than 250 people, the record-keeping obligation may still apply. This is the case when the processings (1) are likely to result in a risk to the rights and freedoms of data subjects, (2) are not occasional, (3) concern special categories of data, or (4) concern personal data relating to criminal convictions and offences.
What does this involve
Art. 30 GDPR stipulates that you have to identify and qualify processing(s). Art. 35 GDPR states that processings need to be subjected to preliminary risk assessments. Let’s have a more detailed look at the three steps in which this should be done.
The first question to be answered is how to define a processing. Art. 4 GDPR is rather vague in its definition of ‘processing’. In practice ‘processings’ are being identified in multiple ways in the records of processing activities I have seen so far. So what is a ‘processing’? My practical answer is:
organisation in which personal data is used as input.”
Why not an application (software or paper) or a business activity, you may ask? Within organisations (read: controllers) applications can be replaced, activities easily altered, while their underlying business processes are most likely to remain unchanged.
Qualifying a processing is the most important of the three steps. It requires first and foremost the SMART defining of the purpose(s) of a processing in terms of : Specific – Measurable – Achievable – Realistic – Time specific.
Why SMART? Because defining the purpose is the foundation on which the further qualification of the processing in terms of ‘legal basis’, ‘category of users’, category of personal data’, and ‘retention period’ is based. A properly defined purpose yields a more precise result, and consequently is of more practical value in becoming GDPR accountable.
3. Preliminary risk assessment
This assessment requires three checks. First a check according to Article 35(4) GDPR needs to be done. This involves analysing the processing at hand against a list of processings for which a data protection impact assessment is mandatory. This list is provided by each national supervisory authority and has been subjected to the consistency mechanism as referred to in Article 63 GDPR. If the result of this analysis is that the processing is part of the list, you have to do a DPIA. If not, you have to take the second check which involves analysing your processing against a list of nine criteria provided by the European supervisory authority. In the event that two or more of these high-risk criteria apply to your processing you have to do a DPIA. Remains the third check which is about answering the question whether or not the processing previously has been the exclusive or partial subject of a DPIA and whether there have been changes to the processing and its specific purposes since that time, and/or if new technologies have been introduced? If nothing has changed since the last DPIA performed, this can result in the decision that no DPIA needs to be done.
Four reasons to do the work
The first reason should be the fact that the supervisory authority may pay you a visit, which is the case when you have to report a serious data breach and haven’t done the work. However there are at least three even more compelling business reasons involving your customers, financiers and accountants that should drive all organisations to create a quality record of processing activities:
- customers requiring GDPR audits as part of sales contracts;
- financiers requiring GDPR audits before signing off on loans and investments;
- accountants requiring GDPR audits before signing off on annual statements.
So, take the time, make the effort. You will not be the only one to benefit.