How to manage a data processing register for GDPR compliance

Posted by Chris Owen on Tue, Mar 27, 2018

Businesses control and process hundreds and thousands of different data types every day. It's often automatically collected, kept in various conditions, and retained indefinitely. Few have complete visibility of how the data is processed or controlled, or what risks they are exposed to. 

It's hardly surprising that only 1.64% of businesses are feeling fully ready for the General Data Protection Regulation. The General Data Protection Regulation requires you to maintain records on processing purposesdata sharing and retention. And if the ICO wants your records, you're going to have to make all records available on request (i.e. no more of this).

This level of control will be a big leap for most businesses.  

However, the General Data Protection Regulation does not prescribe exactly how you need to manage data, except that "most organisations will benefit from maintaining their records electronically." 

So what is the easiest, least painful way to create and maintain a comprehensive list of all the ways your business is processing data?

At our recent General Data Protection Regulation workshop, Kate Armitage, Product Quality Assurance Manager at Qualsys said that many businesses will instantly be turning to spreadsheets to manage their Data Processing Register. However, there are other options which you will want to be aware of. Kate said:

The issue with spreadsheets is that they don't integrate with your other business processes. It makes managing change extremely difficult. You don't just have to be compliant on May 25th, you need to be compliant with the General Data Protection Regulation every single day, or risk huge fines. You're going to need to establish robust processes that systematically enable you to manage risks. 

Join the next GDPR workshop here - to get actionable advice, network with peers, learn about the regulation.

So how else can you manage your data processing register to ensure you have a systematic process for collaborating and managing risk - without doubling your workload? 

In this article, we explain how our GDPR software tool will help you systematically plan your data processing register as well as manage risk and change. 


Equipment & Asset Manager

Your data processing register needs to have:

  • The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer
  • The purposes of the processing
  • A description of the categories of data subjects and of the categories of personal data
  • The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations
  • Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfer), the documentation of suitable safeguards
  • Where possible, the envisaged time limits for erasure of the different categories of data

Note: The obligations referred to above shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data.

It can be helpful to start with an information asset register, including: 

  • Information held and processes
  • Where it is stored
  • How it moves
  • Who we share it with
  • What the data is
  • Assign a classification 
  • Level of protection reflecting its classification
  • Indicator of Integrity, Availability and Confidentiality

Rather than just using yet another spreadsheet which doesn't integrate with any of your other business processes, this can all be managed within our software module Equipment and Asset Manager. The software module provides a framework, and your Service Implementation Manager will help you configure and manage the system for long term success.  

Equipment Manager Asset register.png

 

Privacy by design using Change Manager

Privacy by design has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. 

The controller shall implement appropriate technical and organisational measures in an effective way in order to meet the requirements of this Regulation and protect the rights of data subjects. 

Change Manager enables you to embed privacy by design into all your operations. For example, your marketing team is recruiting a new agency. The agency will be processing your data. Change Manager provides the visibility, associated risks and collaboration required to ensure all of the appropriate documentation, policies and procedures have been followed. 

Privacy by design.png

 

Manage your data privacy impact assessment with Risk Manager

Data protection impact assessments (DPIAs) help organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.  DPIAs can be an integral part of taking a privacy by design approach.

The GDPR sets out the circumstances in which a DPIA must be carried out.

PIA Process Map Simple.png

Image: Qualsys's PIA approach 

Risk management is a core requirement of the General Data Protection Regulation. Risk Manager enables you to categorise, identify, suggest, manage and report of risks. 

Rather than using clunky spreadsheets, all your risk data can be managed within a central framework. Risk suggestions can be raised within the system, so you don't need to guess or start from scratch. 

EQMS_Risk_Manager.png

 

What you should do now

See our new GDPR software system in action. Request your demonstration here. 

 GDPR software demonstration

 

Tags: ISO 27001, EU GDPR