GDPR Compliance Journey - 04 Processing Activity Record

Gydeline
26 Mar 201806:04

Summary

TLDRIn this video, the host discusses the importance of maintaining a processing activity record under the General Data Protection Regulation (GDPR), even though it's not mandatory for all organizations. They demonstrate their system, explain the necessity of listing data processors and recipients, and address data transfers within the EU. The video also touches on retention periods, the importance of regular reviews, and the measures taken to ensure compliance, emphasizing the value of accountability in GDPR.

Takeaways

  • 📝 The video discusses the importance of maintaining a record of processing activities under the General Data Protection Regulation (GDPR), even though it's not mandatory for all organizations.
  • 🔍 Companies with less than 250 employees and those not processing special categories of data may have some discretion regarding the record of processing activities.
  • 🛠️ The organization in the video has chosen to implement a system for their processing activities, viewing it as a best practice despite it not being mandatory.
  • 🔗 A template for creating a processing activity record is available on the official GDPR website, which can be used by organizations.
  • 📋 The record includes basic information such as the data review, organizational details, and the name of the data protection officer.
  • 🏢 The script mentions other organizations that process data on behalf of the company, including Microsoft, Amazon Web Services, and business application providers.
  • 🌐 The company has transferred information out of the country, but within the EU, which is considered a safe area under GDPR.
  • 🗓️ The retention period for customer data is six months after the end of the subscription, with CRM details reviewed every 12 months.
  • 🔒 Safeguards for data transfers are in place, with data being sent to encrypted locations within the EU.
  • 📝 The company retains the email and surname of individuals who have opted out of communications to ensure they are not contacted again.
  • 🛡️ Technical and organizational measures are being implemented as part of the GDPR compliance journey, with updates to be included in the next review.
  • 📅 The organization plans to review and update their record of processing activities monthly, which is more frequent than the GDPR review period, to demonstrate best practice compliance.

Q & A

  • What is the purpose of maintaining a record of processing activities under GDPR?

    -The purpose of maintaining a record of processing activities under GDPR is to demonstrate accountability and to show how an organization is complying with the regulation's requirements.

  • Is it mandatory for all organizations to have a record of processing activities?

    -No, it is not mandatory for all organizations. Organizations with fewer than 250 employees and those that do not process special categories of data may not be required to maintain such a record, but it is considered best practice.

  • Where can one find a template for a record of processing activities?

    -A template for a record of processing activities can be found on the guideline.com website, with the link provided on the screen during the video.

  • What basic information should be included in a record of processing activities?

    -Basic information in a record of processing activities should include data review, organizational information, and notably, the name of the data protection officer.

  • Which external organizations are commonly involved in data processing for many companies?

    -Common external organizations involved in data processing include Microsoft for services like Word, Excel, and Amazon Web Services for hosting platforms.

  • What types of data categories does the company in the script process?

    -The company processes data categories such as customers, employees, prospects, and suppliers. They do not currently process sensitive or special categories of data.

  • Does the company in the script transfer information out of the country?

    -Yes, the company transfers information out of the country, but within the EU safe areas, which mitigates some of the risks associated with international data transfers.

  • What is the retention period for customer data in the guidelines software?

    -For customers, the company retains their details for six months after the end of the subscription in case they want to return to using the software.

  • Why does the company retain the email and surname of individuals who have opted out of communications?

    -The company retains this information to ensure they can identify individuals who have opted out and prevent them from being mistakenly re-contacted.

  • What is the frequency of review for the company's record of processing activities?

    -The company reviews and updates its record of processing activities on a monthly basis, even though there is no specific review period mandated by GDPR.

  • What additional elements does the company plan to include in the record of processing activities in the future?

    -The company plans to include a more comprehensive list of technical and organizational measures, as well as links to privacy notices, policies, consent records, data protection impact assessments, and contract or breach information.

Outlines

00:00

📝 GDPR Processing Activity Record Overview

This paragraph introduces the concept of a 'processing activity record' under the General Data Protection Regulation (GDPR). It clarifies that while the record is not mandatory for all organizations, particularly those with fewer than 250 employees and no processing of special categories of data, the speaker's company chooses to maintain one as a best practice. The paragraph also mentions a template available on 'guideline.com' for those who wish to create their own record. The speaker then shares their company's processing activity record, starting with basic information such as the data review and organizational details, including the data protection officer's name. It proceeds to discuss the list of organizations that process data on their behalf, such as Microsoft, Amazon Web Services, and business application providers, and the categories of data they process, which include customers, employees, prospects, and suppliers. The paragraph also touches on data transfers within the EU, retention periods, and the importance of retaining minimal data for those who have opted out to ensure they are not contacted again. Lastly, it mentions the ongoing work to complete the technical and organizational measures section of the record and the company's commitment to reviewing and updating the record monthly.

05:00

🔒 Enhancing GDPR Compliance Through Documentation

The second paragraph delves into the purpose of maintaining a processing activity record, which is to demonstrate accountability and compliance with the GDPR. It outlines the intention to include various elements such as data mapping, privacy notices, policies, consent records, data protection impact assessments, and contract or breach information to create a comprehensive record of personal data processing. The paragraph emphasizes the importance of these documents in showing how the company meets GDPR requirements. The speaker also hints at future discussions about policy and mentions the next steps, which include updating privacy notices and conducting data protection impact assessments. The paragraph concludes with a commitment to making the compliance process as straightforward as possible for the audience.

Mindmap

Keywords

💡GDPR

GDPR stands for General Data Protection Regulation, which is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside these areas. In the video, GDPR is the central theme as the speaker discusses compliance with its requirements, such as maintaining a record of processing activities.

💡Processing Activity Record

A Processing Activity Record is a document that organizations can use to detail their data processing activities. It is not mandatory under GDPR for all organizations but is considered a best practice. In the script, the speaker mentions that they are choosing to maintain this record to demonstrate compliance with GDPR, even though it's not required for their size or type of data processing.

💡Discretion

Discretion, in the context of GDPR, refers to the flexibility that organizations have in choosing certain actions that are recommended but not strictly mandatory. The script explains that while maintaining a Processing Activity Record is not mandatory, the speaker's organization is choosing to do so as a best practice.

💡Data Protection Officer (DPO)

A Data Protection Officer is a role defined by the GDPR, responsible for overseeing data protection strategies and ensuring compliance with data protection laws. The script mentions that the name of the DPO needs to be included in the Processing Activity Record, emphasizing the importance of this role in GDPR compliance.

💡Data Processors

Data processors are third parties that process personal data on behalf of a data controller. In the script, the speaker lists Microsoft, Amazon Web Services, and business application suite providers as examples of data processors that their organization uses.

💡Data Recipients

Data recipients are entities that receive personal data from the data controller. The script mentions accountants and Zoho CRM as recipients of personal data from the speaker's organization, indicating the flow of data beyond the organization itself.

💡Data Categories

Data categories refer to the types of data that an organization processes. The script specifies that the organization processes data of customers, employees, prospects, and suppliers, but does not process sensitive or special categories of personal data.

💡Data Transfer

Data transfer refers to the movement of personal data from one country to another. The script notes that the organization has transferred data out of the country but within the EU, which is considered a 'safe area' under GDPR, thus reducing the need for additional safeguards.

💡Retention Period

Retention period is the length of time that an organization retains personal data. In the script, the speaker describes their retention policy for customers, mentioning that details are kept for six months after the end of a subscription, aligning with GDPR's principles of data minimization and storage limitation.

💡Opted Out

Opting out refers to individuals choosing not to receive communications from an organization. The script explains that the organization retains the email and surname of individuals who have opted out to ensure they are not contacted again, which is a measure to respect data subject rights under GDPR.

💡Technical and Organizational Measures

Technical and Organizational Measures are steps taken by organizations to ensure the security of personal data. The script notes that the speaker's organization is in the process of implementing these measures, which will be detailed in the Processing Activity Record during the next review.

Highlights

Introduction to the GDPR compliance journey and the importance of a processing activity record, even though it's not mandatory for all organizations.

Availability of a template for creating a processing activity record on the GDPR website.

Basic information required in the processing activity record, including the name of the data protection officer.

Listing of third-party organizations that process data on behalf of the company, such as Microsoft, Amazon Web Services, and business application providers.

Identification of organizations that have received personal data, including accountants and CRM platforms like Zoho.

Categories of data processed by the company, including customers, employees, prospects, and suppliers, with no sensitive or special categories currently.

Disclosure of data transfers within the EU and the safeguards in place for such transfers.

Retention period policies for customer data, including retaining details for six months after the end of a subscription.

Practice of retaining email and surname for individuals who have opted out of communications to prevent accidental re-contact.

Ongoing work to implement technical and organizational measures to enhance GDPR compliance.

Monthly review and update of the processing activity record as a best practice, even though it's not a GDPR requirement.

Inclusion of best practice and non-mandatory elements in the processing record to demonstrate full compliance with GDPR.

Linking the processing activity record to other important documents like data mapping, privacy notice, and policy documents.

Upcoming updates to privacy notice and policy documents to ensure ongoing compliance.

Discussion of data protection impact assessments and their importance in the GDPR compliance process.

The main purpose of the processing activity record is to demonstrate accountability and compliance with GDPR requirements.

Preview of the next topic in the GDPR compliance journey, which will focus on policy development.

Transcripts

play00:00

[Music]

play00:04

hi and welcome back once again to our

play00:07

GDP our compliance journey this time

play00:10

we're talking about our processing

play00:13

activity record now we have a system for

play00:18

that which we'll show you in a second

play00:20

but we should first start by saying that

play00:23

like many areas in the GDP are you have

play00:26

some discretion as to some of the things

play00:30

that you might do which are best

play00:32

practice rather than mandatory so in the

play00:35

case of the record of processing

play00:38

activities or processing activity record

play00:41

it's not necessarily mandatory so if you

play00:44

are less than 250 employees if you don't

play00:48

process special categories and things

play00:50

like that then you don't necessarily

play00:51

have to do it but a guideline we're

play00:53

choosing to do it because we think it's

play00:55

best practice so we'll take a look at

play00:59

our system in a second first just to say

play01:02

that if you want to complete your own

play01:03

processing activity record there's a

play01:05

template available on guideline com the

play01:08

link should be on the screen about now

play01:10

and so without further ado let's dive in

play01:14

and have a look at our record so we're

play01:17

now looking at our processing activity

play01:19

record and we start with a few basic

play01:22

pieces of information the data the

play01:24

review and some organizational

play01:27

information

play01:28

I guess most notably the name of the

play01:32

data protection officer needs to be in

play01:34

the record and then we go on to talk

play01:36

about the processing so a list of other

play01:40

organizations that process data on our

play01:42

behalf so some of these that will be

play01:44

common among many companies Microsoft

play01:46

for things like word NIC cell and Amazon

play01:51

Web Services for hosting platforms

play01:54

there'll be a lot of organizations using

play01:56

those two and for us we then have our

play01:58

accountants in our business application

play02:01

suite and that really links into the

play02:04

organizations that have received the

play02:06

personal data so our accountants and

play02:09

Zoho were our CRM and AWS in

play02:13

of the software we use they're the

play02:17

categories of data that we process

play02:19

customers employees prospects and

play02:21

suppliers at the moment no sensitive or

play02:25

special categories for us we then talk

play02:27

about have we transferred information

play02:29

out of country and the answer is yes

play02:32

here although because we are

play02:34

transferring within the EU safe areas

play02:38

it's not as much of an issue as it might

play02:41

be if we were transferring say to Africa

play02:45

or South America which considered non

play02:48

safeguarded areas so in our description

play02:51

around the safeguards are in place I've

play02:53

said that it's gone to safe encrypted

play02:56

locations within the EU and some

play03:00

information about how those transfers

play03:02

happen in terms of our retention period

play03:05

what we're saying is that for customers

play03:08

within the guidelines software when they

play03:10

stop being customers of ours we retain

play03:13

the details for six months after the end

play03:15

of the subscription in case they want to

play03:17

come back and use the software again

play03:19

within our CRM we review the customer

play03:24

details every 12 months and enact ones

play03:26

that are removed however we do retain

play03:29

email and a surname of people that have

play03:32

opted out of communications with us

play03:34

without their email data we would not be

play03:38

able to know who has opted out and then

play03:40

therefore there's a danger that we might

play03:42

email them again and we don't want that

play03:44

to happen and finally on the kind of the

play03:48

mandatory aspects of the processing

play03:49

record the technical and organizational

play03:53

measures that him are in place now I've

play03:56

not completed this at the moment because

play03:59

we've got more work to do in our GDP our

play04:02

journey around putting all of those

play04:03

measures in place so I didn't want to

play04:05

put a partial answer in there so when we

play04:09

come back for our next review which you

play04:12

can see in the record is in one month's

play04:14

time we'll be populating that area more

play04:17

fully so this is going to be a monthly

play04:19

activity for guideline to review and

play04:23

update our record of processing

play04:25

activities there isn't Amanda

play04:27

we review period within the gdpr we just

play04:30

feel that it's best practice to review

play04:33

it once a month we then come down to

play04:36

kind of best practice or non-mandatory

play04:39

elements within the processing record

play04:41

and again we think that we would like to

play04:43

store this information with the records

play04:45

so that we can demonstrate our

play04:48

compliance with the gdpr as fully as

play04:51

possible so we've already done our data

play04:53

mapping and there's a link there to our

play04:55

data map we have a privacy notice on our

play04:57

website and we'll be updating therein in

play05:00

a couple of weeks time next time we're

play05:03

going to be talking about policy so

play05:05

we'll be putting links to all those

play05:07

different policies we'll be putting any

play05:10

record of consent we already have some

play05:13

data section impact assessments which

play05:14

are linked to but again we'll be

play05:16

refreshing those in a few weeks time and

play05:18

then any information about contracts or

play05:21

breach so all of that information goes

play05:26

together to make we hope a complete

play05:29

record of the personal information that

play05:31

we are processing so the main purpose of

play05:35

having that record in place really is to

play05:37

demonstrate accountability to show how

play05:40

you are complying with the gdpr and how

play05:43

you are meeting some of those

play05:44

requirements and as we go through the

play05:48

next few months and we complete a more

play05:50

full record then hopefully we'll be

play05:53

showing that so that's it for this time

play05:56

next time we'll be talking about policy

play05:58

so until then we hope you find your

play06:01

compliance simple

Browse More Related Video

Data Inventories and Data Maps: The Cornerstone to GDPR Compliance

GDPR Compliance Journey - 09 Retention

How to create a ROPA (Record of processing activity), GDPR Article 30

GDPR Compliance Journey - 06 Data Protection Impact Assessment

GDPR Compliance Journey - 14 Process Documentation

GDPR Compliance Journey - 18 Reviews and Third Party Reviews

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
GDPR ComplianceData ProtectionProcessing RecordBest PracticesData PrivacyMonthly ReviewData MappingPrivacy NoticeData RetentionCloud HostingBusiness Software