Under the GDPR, there is one really important piece that organisations struggle to understand: Art 5.2 aka "Accountability".
When your read the GDPR, Art 5.2 is short. It says that organisations need to be able to demonstrate that their processing of personal data is carried out following 6 principles. These principles are also short and described in Art 5.1. Most of what follows in the GDPR is a logical extension of Article 5.1 and 5.2. (You can read the GDPR more easily from our website dataprotectionact.ie)
Some people make it very complicated, while ignoring a simple approach.
The simple approach is to look at another part of the GDPR: Art 30.
Article 30 tells organisation that they need to have a register of processing activities for regular activities.
You did read properly: ALL organisations including YOURS need to have such register for all regular activities (I admit, it is poorly phrased in the GDPR).
I have seen many organisations taking this literally. They have compiled a spreadsheet listing what they thought were processing activities and filled in a few bits of information required using the ICO (UK Supervisory Authority) template.
From a strict compliance point of view, you have ticked a box.
Shall we approach this form another angle?
Have you considered when a data protection Supervisory Authority will ask you for such register?
I could be wrong, but given their workload,, for the majority of organisations, they will inspect following a data protection incident involving your organisation.
Beyond the register, they will ask for the evidence required in Article 5.2.
Why would the data protection Supervisory Authority look at your processing activities in the context of an incident?
Because behind the incident are people whose data wasn't protected properly, and this can have an impact of people's rights and freedoms (GDPR isn't a privacy law, read Art 1.2 again).
Let me ask you a simple question:
Do you know when an incident will hit your organisation?.
I don't, do you?.
So if you read Article 30 from a different angle, you will see that it says that "where possible, document the technical and organisational measures to protect personal data". If you consider this and Art 5.2, a good register of processing activities will solve all.
How do you do this?
You simply need to conduct a detailed inventory of assets, suppliers, partners, people and put all the pieces together by talking to people. You then put all in a purposely built database and analyse the risks. We call it a Corporate DPIA (acronym for data protection impact assessment).
Every client I spoke too, as they did, identified issues:
Are computers protected? Do people use their own computers or phone for business? Can websites be easily hacked? Is there a good reason to ask for the great grand-mother's date of birth when people order a bouncy castle on your website?
Where do you find such database?
You're in the right place. Bizoneo is an easy to use solution to assist your organisation on the matter. It is made and hosted in the EU (in Ireland). It respects privacy and if privacy is important to your orgnisation, it doesn't run on GAFAM infrastructure.
CDPO - CIPP/E