GDPR Compliance Journey - 04 Processing Activity Record
Summary
TLDRIn this video, the host discusses the importance of maintaining a processing activity record under the General Data Protection Regulation (GDPR), even though it's not mandatory for all organizations. They demonstrate their system, explain the necessity of listing data processors and recipients, and address data transfers within the EU. The video also touches on retention periods, the importance of regular reviews, and the measures taken to ensure compliance, emphasizing the value of accountability in GDPR.
Takeaways
- π The video discusses the importance of maintaining a record of processing activities under the General Data Protection Regulation (GDPR), even though it's not mandatory for all organizations.
- π Companies with less than 250 employees and those not processing special categories of data may have some discretion regarding the record of processing activities.
- π οΈ The organization in the video has chosen to implement a system for their processing activities, viewing it as a best practice despite it not being mandatory.
- π A template for creating a processing activity record is available on the official GDPR website, which can be used by organizations.
- π The record includes basic information such as the data review, organizational details, and the name of the data protection officer.
- π’ The script mentions other organizations that process data on behalf of the company, including Microsoft, Amazon Web Services, and business application providers.
- π The company has transferred information out of the country, but within the EU, which is considered a safe area under GDPR.
- ποΈ The retention period for customer data is six months after the end of the subscription, with CRM details reviewed every 12 months.
- π Safeguards for data transfers are in place, with data being sent to encrypted locations within the EU.
- π The company retains the email and surname of individuals who have opted out of communications to ensure they are not contacted again.
- π‘οΈ Technical and organizational measures are being implemented as part of the GDPR compliance journey, with updates to be included in the next review.
- π The organization plans to review and update their record of processing activities monthly, which is more frequent than the GDPR review period, to demonstrate best practice compliance.
Q & A
What is the purpose of maintaining a record of processing activities under GDPR?
-The purpose of maintaining a record of processing activities under GDPR is to demonstrate accountability and to show how an organization is complying with the regulation's requirements.
Is it mandatory for all organizations to have a record of processing activities?
-No, it is not mandatory for all organizations. Organizations with fewer than 250 employees and those that do not process special categories of data may not be required to maintain such a record, but it is considered best practice.
Where can one find a template for a record of processing activities?
-A template for a record of processing activities can be found on the guideline.com website, with the link provided on the screen during the video.
What basic information should be included in a record of processing activities?
-Basic information in a record of processing activities should include data review, organizational information, and notably, the name of the data protection officer.
Which external organizations are commonly involved in data processing for many companies?
-Common external organizations involved in data processing include Microsoft for services like Word, Excel, and Amazon Web Services for hosting platforms.
What types of data categories does the company in the script process?
-The company processes data categories such as customers, employees, prospects, and suppliers. They do not currently process sensitive or special categories of data.
Does the company in the script transfer information out of the country?
-Yes, the company transfers information out of the country, but within the EU safe areas, which mitigates some of the risks associated with international data transfers.
What is the retention period for customer data in the guidelines software?
-For customers, the company retains their details for six months after the end of the subscription in case they want to return to using the software.
Why does the company retain the email and surname of individuals who have opted out of communications?
-The company retains this information to ensure they can identify individuals who have opted out and prevent them from being mistakenly re-contacted.
What is the frequency of review for the company's record of processing activities?
-The company reviews and updates its record of processing activities on a monthly basis, even though there is no specific review period mandated by GDPR.
What additional elements does the company plan to include in the record of processing activities in the future?
-The company plans to include a more comprehensive list of technical and organizational measures, as well as links to privacy notices, policies, consent records, data protection impact assessments, and contract or breach information.
Outlines
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowMindmap
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowKeywords
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowHighlights
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowTranscripts
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowBrowse More Related Video
Data Inventories and Data Maps: The Cornerstone to GDPR Compliance
GDPR Compliance Journey - 09 Retention
GDPR Compliance Journey - 06 Data Protection Impact Assessment
GDPR | A simple explanation
How to create a ROPA (Record of processing activity), GDPR Article 30
GDPR Compliance Journey - 14 Process Documentation
5.0 / 5 (0 votes)