This short post is relevant to the GDPR (Art 30), EUIDPR (Art 31) or POPIA (Section 7). Don't be ashamed if you have a CIPP/E, a DPO certificate or a Master in law and struggle with documenting processing activities: most of these are theoretical and may not equip you with the basics of data mapping. Hopefully this short post will help you move forward.
Regular processing activities under the GPDR must be documented for organisations with less than 250 staff, while all processing activities must be documented for organisations with more than 250 staff (from the poorly phrased Art 30.5). Under EUIDPR, there is no threshold and all activities under the responsibility of the relevant EU Institutions must be documented.
We will use a small example to ease your understanding. Let's assume you are not too familiar with data processing, yet been asked to document processing activities around a popular application "Outlook".
First, let me point out that "Outlook" isn't a processing activity. It is a tool.
Around "Outlook", at a high level, the processing activities would be (generally):
When you have documented what the activities consist of, you will find out that each activity will usually use several "assets" so data can be processed. Don't hesitate to involve IT staff who will be happy to provide you with more information. Outlook would only be one "asset" In the case above, you would usually find:
Remember that each activity needs to have a lawful basis (cf Art 6 GDPR, Art 5 EUIDPR) and a purpose (specific, explicit and legitimate).
Each activity takes place and each asset is located somewhere in the world (I am not sure of the status of the Space Station). Sometimes the location is not in the EEA (European Economic Area). If it is not in the EEA, you need to find appropriate safeguards so the rights and freedoms of people whose data is processed is equivalent to the one in the EU Charter (of fundamental rights ). Article 44 to 50 of the GDPR (Art 46 to 51 EUIDPR) will guide you. I would like to wish you good luck on this as in many cases, you need to conduct a transfer impact assessment, and it's not an easy task.
Each activity may be outsourced to a data processor. In such case, there are other obligations: you need to provide instructions to the data processor (Art 28 GDPR, Art 29 EUIDPR).
You need to also document who are the people whose personal data is processed (thus the name data subject) and the categories of data processed. In our example it could be something such as:
Reminder: Staff are also in scope of the documentation. I remember talking to a DPO once who thought there was no work to do for staff. The DPO was wrong.
There needs to be appropriate Technical & Organisational Measures implemented to ensure the safety of data processed. You need to analyse the threats and vulnerabilities that surround the processing. For instance:
Technical measures may be (non exhaustive list):
Organisational measures may be (non exhaustive list):
How do you do this?
You simply need to conduct a detailed inventory of the activities by talking to people. Note the assets, suppliers, partners, people and put all the pieces together. You then put all in a purposely built database and analyse the risks. We call it a Corporate DPIA (acronym for data protection impact assessment).
Where do you find such database?
You're in the right place. Bizoneo is an easy to use solution to assist your organisation on the matter. It is made and hosted in the EU (in Ireland). It respects privacy and if privacy is important to your organisation, it doesn't run on GAFAM infrastructure nor place uncessary cookies. When you get in touch, we'll show you examples of such records of processing activities that can be run from Bizoneo.
CDPO - CIPP/E