Documenting processing activities

This short post is relevant to the GDPR (Art 30), EUIDPR (Art 31) or POPIA (Section 7). Don't be ashamed if you have a CIPP/E, a DPO certificate or a Master in law and struggle with documenting processing activities: most of these are theoretical and may not equip you with the basics of data mapping. Hopefully this short post will help you move forward.

Regular processing activities under the GPDR must be documented for organisations with less than 250 staff, while all processing activities must be documented for organisations with more than 250 staff (from the poorly phrased Art 30.5). Under EUIDPR, there is no threshold and all activities under the responsibility of the relevant EU Institutions must be documented.

We will use a small example to ease your understanding. Let's assume you are not too familiar with data processing, yet been asked to document processing activities around a popular application "Outlook".

First, let me point out that "Outlook" isn't a processing activity. It is a tool.

Around "Outlook", at a high level, the processing activities would be (generally):

  1. to send and receive emails between recipients
  2. to organise meetings between people
  3. to store notes 
  4. etc (you'll probably find 20 more).

When you have documented what the activities consist of, you will find out that each activity will usually use several "assets" so data can be processed. Don't hesitate to involve IT staff who will be happy to provide you with more information. Outlook would only be one "asset" In the case above, you would usually find:

  • A computer (where software is installed or run from)
  • The "Outlook" software client
  • A mail server (that relays emails in and out your organisation)
  • A Caldav server (for meeting calendars)
  • A computer network (for the data to flow in and out of your organisation)
  • An internet router
  • A firewall
  • An ISP (internet service provider)
  • Recipients' equipment

Remember that each activity needs to have a lawful basis (cf Art 6 GDPR, Art 5 EUIDPR) and a purpose (specific, explicit and legitimate).

Each activity takes place and each asset is located somewhere in the world (I am not sure of the status of the Space Station). Sometimes the location is not in the EEA (European Economic Area). If it is not in the EEA, you need to find appropriate safeguards so the rights and freedoms of people whose data is processed is equivalent to the one in the EU Charter (of fundamental rights ). Article 44 to 50 of the GDPR (Art 46 to 51 EUIDPR) will guide you. I would like to wish you good luck on this as in many cases, you need to conduct a transfer impact assessment, and it's not an easy task.

Each activity may be outsourced to a data processor. In such case, there are other obligations: you need to provide instructions to the data processor (Art 28 GDPR, Art 29 EUIDPR).

You need to also document who are the people whose personal data is processed (thus the name data subject) and the categories of data processed. In our example it could be something such as:

  • Staff (data subject)
    • first name
    • surname
    • email address
    • time stamp
    • email body
    • meeting time
    • notes
  • Client  (data subject)
    • first name
    • surname
    • email address
    • time stamp
    • email body
    • meeting time
    • notes
    • sales history
    • consent to marketing

Reminder: Staff are also in scope of the documentation. I remember talking to a DPO once who thought there was no work to do for staff. The DPO was wrong.

There needs to be appropriate Technical & Organisational Measures implemented to ensure the safety of data processed. You need to analyse the threats and vulnerabilities that surround the processing. For instance:

  • Is the computer hard drive encrypted (in case it is stolen or lost)
  • Is the data transfer between the client and the server and between each recipient encrypted (to prevent someone reading all while data is in transit)
  • Is the data back-up up (so you don't lose it in an incident)
  • Is the email client or the computer operating system sends data in people's back (this is the case for instance with Windows or Microsoft Office that sends so-called "telemetry data" to Microsoft without consent and without telling you)

Technical measures may be (non exhaustive list):

  • Encryption at rest
  • Encryption in transit
  • Access control
  • Backups
  • Firewall configuration
  • Penetration testing of the infrastructure

Organisational measures may be (non exhaustive list):

  • Policies (to ensure people use the equipment for lawful activities)
  • Access rights (to ensure people have access to the data they work with)
  • Training (to ensure people understand the policies)

How do you do this?

You simply need to conduct a detailed inventory of the activities by talking to people. Note the assets, suppliers, partners, people and put all the pieces together. You then put all in a purposely built database and analyse the risks. We call it a Corporate DPIA (acronym for data protection impact assessment).

Where do you find such database?

You're in the right place. Bizoneo is an easy to use solution to assist your organisation on the matter. It is made and hosted in the EU (in Ireland). It respects privacy and if privacy is important to your organisation, it doesn't run on GAFAM infrastructure nor place unnecessary cookies. When you get in touch, we'll show you examples of such records of processing activities that can be run from Bizoneo.

Claude Saulnier
CDPO - CIPP/E

Brand Ambassador
Bizoneo