Register of Processing Activities - Corporate DPIA
Legislations and regulations such as the GDPR and the EUIDPR require organisations to maintain records of your processing activities (GDPR Article 30 - EUIDPR Article 31). Beyond the mandatory nature of the records of processing activities, the rationale is that the understanding of the data flows allows the justification of data processing.
A number of EU Data Protection Authorities have released templates for small businesses, but filling templates can be misleading. There is a risk that a "template filling exercise" doesn't lead to a proper analysis of the data flows, justification of data processing and mitigation.
Bizoneo allow organisations to easily gather and document their processing activity, and generate reports to assist Management and the Data Protection Officer. We also provide specific features to assist data-processors.
- Detailed records of processing activities
- Data description;
- Documentation of the lawful base to process the data
- Retention period;
- Document staff and contractor with access to the data
- Link to the organisation's assets with technical and organisational measures
- Link to the organisation's data-processors (or controllers) with technical and organisational measures
- Category of data processed
- Ability to document the steps to justify "legitimate interest" based processing (not available in EUIDPR);
- Ability to document "consent" based processing;
- Ability to group processing activities into services
- Data flows between processing activities
- Document the compliance to the GDPR Article 5 / EUIDPR Article 4 principles for each activity or service
- Dashboard for management;
Assistance in breach handling
- The records of processing are mandatory in case of an investigation from a Data Protection Supervisory Authority or the EDPS (AUIDPR)
Dedicated features for data-processors
- Ability to provide the documentation required to assist the proper completion of data-processing agreements;
- Handling of the data disposal register;
- Classification of records of processing activity (also in line with ISO 27001 requirements);
- Ability to export in Excel/Word/PDF.
- Ability to add data classification attributes;
- Encryption at rest and in transit;