This short post is relevant to the GDPR (Art 30), EUIDPR (Art 31) or POPIA (Section 7). Don't be ashamed if you have a CIPP/E, a DPO certificate or a Master in law and struggle with documenting processing activities: most of these are theoretical and may not equip you with the basics of data mapping. Hopefully this short post will help you move forward.
Let's consider the GDPR. Organisations with more than 250 staff must document all their processing activities, but organisations with less than 250 staff must still document some activities (Art 30.5) when:
- the processing carried out is likely to result in a risk to the rights and freedoms of data subjects (cf the EU Charter of Fundamental Rights);
- the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10;
- the processing is not occasional;
The meaning of "The processing is not occasional" is that activities such as HR, marketing, sales etc would need to be documented as they are normally not occasional. These are regular or frequent.
Under EUIDPR, there is no threshold and all activities under the responsibility of the relevant EU Institutions must be documented.
We will use a small example to ease your understanding. Let's assume you are not too familiar with data processing, yet been asked to document processing activities around a popular application "Outlook".
First, let me point out that "Outlook" isn't a processing activity. It is a tool.
Around "Outlook", at a high level, the processing activities would be (generally):
When you have documented what the activities consist of, you will find out that each activity will usually use several "assets" so data can be processed. Don't hesitate to involve IT staff who will be happy to provide you with more information. Outlook would only be one "asset" In the case above, you would usually find:
Remember that each activity needs to have a lawful basis (cf Art 6 GDPR, Art 5 EUIDPR) and a purpose (specific, explicit and legitimate).
Each activity takes place and each asset is located somewhere in the world (I am not sure of the status of the Space Station). Sometimes the location is not in the EEA (European Economic Area). If it is not in the EEA, you need to find appropriate safeguards so the rights and freedoms of people whose data is processed is equivalent to the one in the EU Charter (of fundamental rights ). Article 44 to 50 of the GDPR (Art 46 to 51 EUIDPR) will guide you. I would like to wish you good luck on this as in many cases, you need to conduct a transfer impact assessment, and it's not an easy task.
Each activity may be outsourced to a data processor. In such case, there are other obligations: you need to provide instructions to the data processor (Art 28 GDPR, Art 29 EUIDPR).
You need to also document who are the people whose personal data is processed (thus the name data subject) and the categories of data processed. In our example it could be something such as:
Reminder: Staff are also in scope of the documentation. I remember talking to a DPO once who thought there was no work to do for staff. The DPO was wrong.
There needs to be appropriate Technical & Organisational Measures implemented to ensure the safety of data processed. You need to analyse the threats and vulnerabilities that surround the processing. For instance:
Technical measures may be (non exhaustive list):
Organisational measures may be (non exhaustive list):
How do you do this?
You simply need to conduct a detailed inventory of the activities by talking to people. Note the assets, suppliers, partners, people and put all the pieces together. You then put all in a purposely built database and analyse the risks. We call it a Corporate DPIA (acronym for data protection impact assessment).
Where do you find such database?
You're in the right place. Bizoneo is an easy to use solution to assist your organisation on the matter. Check our compliance solutions page for further information. Our solutions are made and hosted in the EU (in Ireland). They respect privacy and if privacy is important to your organisation, Bizoneo doesn't run on GAFAM infrastructure nor place unnecessary cookies. When you get in touch, we'll show you examples of such records of processing activities that can be managed from Bizoneo.
What about websites?
In May 2023, Bizoneo launched bizoscore.eu, designed to assist the discovery of public facing parts of organisations' infrastructures. While the goal of Bizoscore is to help the identification of security and privacy vulnerabilities, the discovery of assets should raise questions about additional processing activities.
Claude Saulnier
CDPO - CIPP/E
Bizoneo
First published: 21 January 2022
Last updated: 26 June 2023