Process Mapping - Register of Processing Activities
Legislations and regulations such as the GDPR and the EUIDPR require organisations to maintain records of your processing activities (GDPR Article 30 - EUIDPR Article 31). Beyond the mandatory nature of the records of processing activities, the rationale is that the understanding of the data flows allows the justification of data processing.
A number of EU Data Protection Authorities have released templates for small businesses, but filling templates can be misleading. There is a risk that a "template filling exercise" doesn't lead to a proper analysis of the data flows, justification of data processing and mitigation.
For Financial Entities, under the Digital Operational Resilience Act (DORA), Article 8 requires a good understanding of processes and how data is processed in order to assess the critical functons.
Bizoneo allow organisations to easily gather and document their processing activity, and generate reports to assist Management and the Data Protection Officer. We also provide specific features to assist data-processors.
Key features
Process and Data Inventory
- Detailed records of processing activities
- Data description
- Documentation of the lawful base to process the data
- Retention period
- Document staff and contractor with access to the data
- Link to the organisation's assets with technical and organisational measures
- Link to the organisation's data-processors (or controllers) with technical and organisational measures
- Category of data processed
- Ability to document the steps to justify "legitimate interest" based processing (not available in EUIDPR)
- Ability to document "consent" based processing
Service catalogue
- Ability to group processes, processing activities into services
- Data flows between processing activities
Monitor compliance
- Document the compliance to the GDPR (Article 5) / EUIDPR (Article 4) principles for each activity or service
- Feed to the DORA register of information
- Dashboard for management
Assistance in Supervisory Authority investigation
- The records of processing activities are mandatory and should be available to the data protection Supervisory Authority or the EDPS (EUIDPR)
Assistance in breach handling
- Proper records of processing activities will save significant time in a data breach investigation
Dedicated features for data-processors
- Ability to provide the documentation required to assist the proper completion of data-processing agreements
- Handling of the data disposal register
General features
- Classification of records of processing activity (also in line with ISO 27001 requirements)
- Ability to export in Excel/Word/PDF
- Ability to add data classification attributes
- Encryption at rest and in transit;