The records of processing activities is a new obligation that is part of the GDPR, which takes effect on May 25 2018.
It is recommended to start the records of processing activities today. It will give you an immediate insight in the information you need to comply with all other obligations that result from the GDPR, such as drawing up processing agreements. This register is a document, for example in Excel. The register must be drawn up by the controller and the processor. This register is continuously updated and has to contain information about the processing, such as contact details of the controllers and processors, the different purposes of the processes and the personal data categories.
This obligation applies to certain groups of controllers and processors of personal data. When you meet at least one of the following conditions, the records of processing activities is mandatory:
The processing activity concerns criminal facts, for instance law offices that specialize in criminal law.
The controller determines the purpose and means for the processing activity, for instance when your business processes employees’ personal data. A salary slip is an example. The business is responsible for these data, and thus the controller.
The processor processes the personal data for the data controller. For example the payroll administration office that pays all salaries for your business. The processor also needs to keep a register of processing activities. This register differs from the controller’s register; it is not as extensive.
A register of processing activities has to be set up on paper and in electronic form. The contents of the register are different for the controller and the processor.
|For the controller:||For the processor:|
Do make a start with setting up the records of processing activities. The purposes of the processing activities and the types of personal data you process, will help you decide whether you’ve taken the right amount of suitable measures. When you process medical data, for example, and the data subjects are categorized as healthcare recipients, the choice of processor is very important. It is advisable and sometimes even mandatory to work with an NEN 7510-certified processor. You would moreover prefer a processor that uses a higher security level than would be necessary if the processing activity only concerned e-mail addresses.
Do you have any questions about a records of processing activities? Or about the GDPR? Please contact us.