Your privacy records should include these 11 topics
Under the General Data Protection Regulation, organisations will no longer have to notify the Dutch Data Protection Authority regarding the processing of personal data. Instead, organisations will have to keep internal records of their processing activities. Although the GDPR will relieve organisations of some administrative burdens, do not expect recordkeeping to be one of them. In summary, both controllers and processors will have to keep records of more of the same information. This blog post will tell you the basics of setting up your internal privacy records.
Set up a database with these topics to manage internal records
Here is an inventory of 11 topics based on GDPR Articles that affect your internal records. I have summarised the relevant requirements. Your database should contain at least the following details for each processing activity:
# | Topic | GDPR Section |
1. | Identity and contact details of your organisation as controller and its DPO if applicable (also for processors) | 30.1a, 30.2a, 13.1a |
2. | The purposes for which your organisation processes personal data, linked to specific categories of personal data (in #5) | 30.1b, 13.1c |
3. | The legal ground based on which your organisation processes the data. In cases involving consent, how the data subject has consented | 13.1c, 7.1, 13.1d |
4. | Categories of data subjects (also for processors) | 30.1c, 30.2d |
5. | Categories of personal data, whether the data are sensitive, why they are required, whether the data are compulsory, and what the consequences are if the data are not collected | 30, 13.2e |
6. | All (sub)processors of the processing activity and their authorisation (or the controller for which you process as processor) | 28.2, 28.3 |
7. | Categories of recipients | 30.1d, 13.1e |
8. | Transfers, including the mechanism you use (also for processors) | 30.1e, 30.2c, 13.1f |
9. | Time limits for deletion and storage periods, or at least the criteria used to establish them | 30.1f, 13.2a |
10. | Security measures (also for processors) | 30.1g, 30.2d |
11. | The source of the data | 14f |
How should you start?
- Awareness. First, raise awareness in your organisation. Retrieving reliable data is essential to getting an accurate and complete picture of your organisation’s processing activities. Awareness in your organisation will help retrieve information from your colleagues and they will be able to signal changes and issues proactively.
- Structure. Structure your processing activities overview and centralise your documentation. Whether you do this in spreadsheets or any other database is up to you and your budget.
- Standardise. We recommend standardising your approach to maintain version control and to apply a change history. Keep track of your records’ lifecycle; (first) draft, valid or expired.
- Monitor. Make sure you adjust your records to your organisation’s needs by continuously improving your recordkeeping. This way you can draft and maintain a complete overview of how your organisation processes personal data.
Have any questions?
Could you use our help in setting up your internal records, or do you need help preparing for the GDPR in general? Please do not hesitate to contact us. We would be happy to help.