GDPR Compliance Journey - 04 Processing Activity Record
Summary
TLDRIn this video, the host discusses the importance of maintaining a processing activity record under the General Data Protection Regulation (GDPR), even though it's not mandatory for all organizations. They demonstrate their system, explain the necessity of listing data processors and recipients, and address data transfers within the EU. The video also touches on retention periods, the importance of regular reviews, and the measures taken to ensure compliance, emphasizing the value of accountability in GDPR.
Takeaways
- 📝 The video discusses the importance of maintaining a record of processing activities under the General Data Protection Regulation (GDPR), even though it's not mandatory for all organizations.
- 🔍 Companies with less than 250 employees and those not processing special categories of data may have some discretion regarding the record of processing activities.
- 🛠️ The organization in the video has chosen to implement a system for their processing activities, viewing it as a best practice despite it not being mandatory.
- 🔗 A template for creating a processing activity record is available on the official GDPR website, which can be used by organizations.
- 📋 The record includes basic information such as the data review, organizational details, and the name of the data protection officer.
- 🏢 The script mentions other organizations that process data on behalf of the company, including Microsoft, Amazon Web Services, and business application providers.
- 🌐 The company has transferred information out of the country, but within the EU, which is considered a safe area under GDPR.
- 🗓️ The retention period for customer data is six months after the end of the subscription, with CRM details reviewed every 12 months.
- 🔒 Safeguards for data transfers are in place, with data being sent to encrypted locations within the EU.
- 📝 The company retains the email and surname of individuals who have opted out of communications to ensure they are not contacted again.
- 🛡️ Technical and organizational measures are being implemented as part of the GDPR compliance journey, with updates to be included in the next review.
- 📅 The organization plans to review and update their record of processing activities monthly, which is more frequent than the GDPR review period, to demonstrate best practice compliance.
Q & A
What is the purpose of maintaining a record of processing activities under GDPR?
-The purpose of maintaining a record of processing activities under GDPR is to demonstrate accountability and to show how an organization is complying with the regulation's requirements.
Is it mandatory for all organizations to have a record of processing activities?
-No, it is not mandatory for all organizations. Organizations with fewer than 250 employees and those that do not process special categories of data may not be required to maintain such a record, but it is considered best practice.
Where can one find a template for a record of processing activities?
-A template for a record of processing activities can be found on the guideline.com website, with the link provided on the screen during the video.
What basic information should be included in a record of processing activities?
-Basic information in a record of processing activities should include data review, organizational information, and notably, the name of the data protection officer.
Which external organizations are commonly involved in data processing for many companies?
-Common external organizations involved in data processing include Microsoft for services like Word, Excel, and Amazon Web Services for hosting platforms.
What types of data categories does the company in the script process?
-The company processes data categories such as customers, employees, prospects, and suppliers. They do not currently process sensitive or special categories of data.
Does the company in the script transfer information out of the country?
-Yes, the company transfers information out of the country, but within the EU safe areas, which mitigates some of the risks associated with international data transfers.
What is the retention period for customer data in the guidelines software?
-For customers, the company retains their details for six months after the end of the subscription in case they want to return to using the software.
Why does the company retain the email and surname of individuals who have opted out of communications?
-The company retains this information to ensure they can identify individuals who have opted out and prevent them from being mistakenly re-contacted.
What is the frequency of review for the company's record of processing activities?
-The company reviews and updates its record of processing activities on a monthly basis, even though there is no specific review period mandated by GDPR.
What additional elements does the company plan to include in the record of processing activities in the future?
-The company plans to include a more comprehensive list of technical and organizational measures, as well as links to privacy notices, policies, consent records, data protection impact assessments, and contract or breach information.
Outlines
📝 GDPR Processing Activity Record Overview
This paragraph introduces the concept of a 'processing activity record' under the General Data Protection Regulation (GDPR). It clarifies that while the record is not mandatory for all organizations, particularly those with fewer than 250 employees and no processing of special categories of data, the speaker's company chooses to maintain one as a best practice. The paragraph also mentions a template available on 'guideline.com' for those who wish to create their own record. The speaker then shares their company's processing activity record, starting with basic information such as the data review and organizational details, including the data protection officer's name. It proceeds to discuss the list of organizations that process data on their behalf, such as Microsoft, Amazon Web Services, and business application providers, and the categories of data they process, which include customers, employees, prospects, and suppliers. The paragraph also touches on data transfers within the EU, retention periods, and the importance of retaining minimal data for those who have opted out to ensure they are not contacted again. Lastly, it mentions the ongoing work to complete the technical and organizational measures section of the record and the company's commitment to reviewing and updating the record monthly.
🔒 Enhancing GDPR Compliance Through Documentation
The second paragraph delves into the purpose of maintaining a processing activity record, which is to demonstrate accountability and compliance with the GDPR. It outlines the intention to include various elements such as data mapping, privacy notices, policies, consent records, data protection impact assessments, and contract or breach information to create a comprehensive record of personal data processing. The paragraph emphasizes the importance of these documents in showing how the company meets GDPR requirements. The speaker also hints at future discussions about policy and mentions the next steps, which include updating privacy notices and conducting data protection impact assessments. The paragraph concludes with a commitment to making the compliance process as straightforward as possible for the audience.
Mindmap
Keywords
💡GDPR
💡Processing Activity Record
💡Discretion
💡Data Protection Officer (DPO)
💡Data Processors
💡Data Recipients
💡Data Categories
💡Data Transfer
💡Retention Period
💡Opted Out
💡Technical and Organizational Measures
Highlights
Introduction to the GDPR compliance journey and the importance of a processing activity record, even though it's not mandatory for all organizations.
Availability of a template for creating a processing activity record on the GDPR website.
Basic information required in the processing activity record, including the name of the data protection officer.
Listing of third-party organizations that process data on behalf of the company, such as Microsoft, Amazon Web Services, and business application providers.
Identification of organizations that have received personal data, including accountants and CRM platforms like Zoho.
Categories of data processed by the company, including customers, employees, prospects, and suppliers, with no sensitive or special categories currently.
Disclosure of data transfers within the EU and the safeguards in place for such transfers.
Retention period policies for customer data, including retaining details for six months after the end of a subscription.
Practice of retaining email and surname for individuals who have opted out of communications to prevent accidental re-contact.
Ongoing work to implement technical and organizational measures to enhance GDPR compliance.
Monthly review and update of the processing activity record as a best practice, even though it's not a GDPR requirement.
Inclusion of best practice and non-mandatory elements in the processing record to demonstrate full compliance with GDPR.
Linking the processing activity record to other important documents like data mapping, privacy notice, and policy documents.
Upcoming updates to privacy notice and policy documents to ensure ongoing compliance.
Discussion of data protection impact assessments and their importance in the GDPR compliance process.
The main purpose of the processing activity record is to demonstrate accountability and compliance with GDPR requirements.
Preview of the next topic in the GDPR compliance journey, which will focus on policy development.
Transcripts
[Music]
hi and welcome back once again to our
GDP our compliance journey this time
we're talking about our processing
activity record now we have a system for
that which we'll show you in a second
but we should first start by saying that
like many areas in the GDP are you have
some discretion as to some of the things
that you might do which are best
practice rather than mandatory so in the
case of the record of processing
activities or processing activity record
it's not necessarily mandatory so if you
are less than 250 employees if you don't
process special categories and things
like that then you don't necessarily
have to do it but a guideline we're
choosing to do it because we think it's
best practice so we'll take a look at
our system in a second first just to say
that if you want to complete your own
processing activity record there's a
template available on guideline com the
link should be on the screen about now
and so without further ado let's dive in
and have a look at our record so we're
now looking at our processing activity
record and we start with a few basic
pieces of information the data the
review and some organizational
information
I guess most notably the name of the
data protection officer needs to be in
the record and then we go on to talk
about the processing so a list of other
organizations that process data on our
behalf so some of these that will be
common among many companies Microsoft
for things like word NIC cell and Amazon
Web Services for hosting platforms
there'll be a lot of organizations using
those two and for us we then have our
accountants in our business application
suite and that really links into the
organizations that have received the
personal data so our accountants and
Zoho were our CRM and AWS in
of the software we use they're the
categories of data that we process
customers employees prospects and
suppliers at the moment no sensitive or
special categories for us we then talk
about have we transferred information
out of country and the answer is yes
here although because we are
transferring within the EU safe areas
it's not as much of an issue as it might
be if we were transferring say to Africa
or South America which considered non
safeguarded areas so in our description
around the safeguards are in place I've
said that it's gone to safe encrypted
locations within the EU and some
information about how those transfers
happen in terms of our retention period
what we're saying is that for customers
within the guidelines software when they
stop being customers of ours we retain
the details for six months after the end
of the subscription in case they want to
come back and use the software again
within our CRM we review the customer
details every 12 months and enact ones
that are removed however we do retain
email and a surname of people that have
opted out of communications with us
without their email data we would not be
able to know who has opted out and then
therefore there's a danger that we might
email them again and we don't want that
to happen and finally on the kind of the
mandatory aspects of the processing
record the technical and organizational
measures that him are in place now I've
not completed this at the moment because
we've got more work to do in our GDP our
journey around putting all of those
measures in place so I didn't want to
put a partial answer in there so when we
come back for our next review which you
can see in the record is in one month's
time we'll be populating that area more
fully so this is going to be a monthly
activity for guideline to review and
update our record of processing
activities there isn't Amanda
we review period within the gdpr we just
feel that it's best practice to review
it once a month we then come down to
kind of best practice or non-mandatory
elements within the processing record
and again we think that we would like to
store this information with the records
so that we can demonstrate our
compliance with the gdpr as fully as
possible so we've already done our data
mapping and there's a link there to our
data map we have a privacy notice on our
website and we'll be updating therein in
a couple of weeks time next time we're
going to be talking about policy so
we'll be putting links to all those
different policies we'll be putting any
record of consent we already have some
data section impact assessments which
are linked to but again we'll be
refreshing those in a few weeks time and
then any information about contracts or
breach so all of that information goes
together to make we hope a complete
record of the personal information that
we are processing so the main purpose of
having that record in place really is to
demonstrate accountability to show how
you are complying with the gdpr and how
you are meeting some of those
requirements and as we go through the
next few months and we complete a more
full record then hopefully we'll be
showing that so that's it for this time
next time we'll be talking about policy
so until then we hope you find your
compliance simple
Voir Plus de Vidéos Connexes
Data Inventories and Data Maps: The Cornerstone to GDPR Compliance
GDPR Compliance Journey - 09 Retention
GDPR Compliance Journey - 06 Data Protection Impact Assessment
How to create a ROPA (Record of processing activity), GDPR Article 30
GDPR Compliance Journey - 14 Process Documentation
The Data Flow Mapping Tool – the quick and easy way to document personal data processing
5.0 / 5 (0 votes)