How do you keep a RGPD-compliant register of processing operations?
The General Data Protection Regulation (or RGPD) will come into force on May 25, 2018, and will be applicable to all public bodies and private companies carrying out large-scale processing of personal data.
It establishes the principle of accountability, with each player required to be able to demonstrate, at any time, the compliance of its processing activities with the applicable regulations, hence the need to keep a processing register. This is one of the main obligations for complying with the RGPD.
SUMMARY:
Who must keep a processing register?
All companies and administrations with more than 250 employees are concerned and in the obligation to keep a processing register according to the RGPD.
However, companies with fewer than 250 employees are also concerned, and must draw up a processing register when they find themselves in one of the following cases:
- The processing is likely to involve a risk to the rights and freedoms of data subjects (processing giving rise to discrimination, revealing racial origin, etc.) ;
- The processing is routine (personnel management (HR), supplier management or customer management, which are not carried out occasionally);
- Processing involves special categories of data, known as "sensitive data" (data concerning racial or ethnic origin, religion or beliefs, political or other opinions, health, etc.);
- The processing carried out involves judicial data.
The regulations specify that the absence of a Data Protection Officer (DPO) does not exempt the organization from keeping a data processing register.
The new regulation also requires personal data processors to keep a processing register.
What must a processing register contain?
The information contained in the processing register must answer the following questions: Who?
- Who: the data controller's personal data,
- Why is it being processed? This means describing the purpose of the data processing,
- What data? The various categories of data subjects and data processed,
- Where: This involves locating the data and specifying its recipients,
- Until when? Planned destruction times must be defined,
- How will it be destroyed? This involves describing the technical and organizational security measures to be put in place to protect the data.
As there is no list of the exact elements that must appear in a data processing register, it is possible to add other complementary elements, such as the need for an impact analysis, a record of data breaches, and so on.
Example of a data processing register with CaptainDPO
CaptainDPO publishes a SaaS software solution to help DPOs manage their organization's compliance with the RGPD.
- A list of the different types of processing is presented,
- The data controllers,
- The company,
- The status of each treatment (In progress - Compliant - Non-compliant).
CaptainDPO will enable you to find out where you're not compliant, so that you can take the necessary action by creating tasks and ensuring compliance.
Details of each treatment are also available:
- Overall treatment description,
- The person responsible for the processing,
- The purpose of the processing,
- Security measures to protect data,
- The category of data processed,
- Location of data (in the event of data transfer outside the EU).
Multi-registry management is now integrated into CaptainDPO for external DPOs.
Penalties for non-compliance with this obligation
Failure to comply with the obligation to keep a data processing register, or to carry out an impact analysis prior to processing personal data, can result in severe penalties.
The amount of the fine can reach 2% of the company's worldwide sales or the sum of 10 million euros. The higher amount will be retained.
Article translated from French