Processing of personal data is a vital component of every business. This is utilized to automatise processes, contact employees and customers, and analyse historical performance.
For GDPR compliance In order to be GDPR-compliant, it is necessary to keep a record of all processes. This article will help you on how to create that internal document so that you can demonstrate your responsibility in front of supervisory authorities.
Data Mapping and Inventory
Having a complete, granular understanding of the personal data you collect can be crucial for openness and transparency. It’s also the best way to determine if the company can legally justify the processing of personal data.
Data mapping can be a complex undertaking that often involved in multiple departments within the company (marketing or HR, web development etc.). It is essential to locate the right company to assist in the creation of this map with ease and accuracy in addition to supporting the breadth of personal data and business procedures.
An accurate and complete database map is the very first phase in creating an internal accountability system that is required under Article 30 of GDPR. This will enable you to complete requests to view and eliminate personal information in a timely manner, while demonstrating the necessary honesty and thoroughness that the GDPR requires in terms of privacy.
Purpose danh gia tac dong xu ly du lieu ca nhan of Data Processing
One of the most important goals of privacy legislation is to create transparency and accountability to the processing of data. However, this is hard to accomplish without detailed documentation of the types of data collected, why, where and when.
This is why Article 30 of GDPR stipulates that organisations keep records of and an overview of the processing of personal data that can be made accessible upon the request of supervisory authorities. The documents also include the categories of data, recipients, purpose of processing and an explanation of security measures that are in place.
Initial compilation as well as ongoing maintaining of RoPA can be time consuming. The process can drain resources particularly when large corporations process lots of various types of personal information. However, this document is crucial to self-audit and identify areas for improvement or strengthen methods.
Data Categories and Types
The GDPR obliges companies that handle personal information to maintain complete records of their data processing practices, known as a record of processing activities (RoPA). The records should be easily available to authorities upon request.
Practically, the only solution to build an RoPA that is meaningful and valuable is to separate your business operations into areas with a homogenous view of the type of data that is processed in these areas. This might include business functions such as HR, sales and marketing as well as geographic locations, such as manufacturing facilities or warehouses.
Then, consider which lawful bases you use to process each set of data. This will allow you to distinguish from data sets, so you can respond to the requests of data subjects.
Data Flow Analysis
Data flow analysis is the process for documenting the source, storage, and destinations of personal data in an organization. It’s akin to a Data Protection Impact Assessment (DPIA) though they perform distinct functions and purposes.
An analysis of the flow of data at a granular level assists in creating the records for processing activities which are a requirement for large numbers of organizations as per Article 30 of the GDPR and are the best practice for all of them. This documentation should provide details about the intent of processing, the legal basis, consent status, and international transfers.
In addition, a fine-grained analysis of data flows can reveal ways to improve constant folding, as well as other optimization techniques and help find potential problems. It is also essential for incident response and management. For example, when a security breach occurs, data flow analysis can quickly pinpoint the data that has been affected and what measures to take.
Data Subjects and Consent
Data Subjects refer to individuals on who personal data is collected. They are granted a variety of rights, including the right to demand access to their data and rights to have it deleted or amended.
Consent is among the legal bases to process data. However, it must be given freely and in a specific way. Also, it must be explicit and well-informed. The consent must be clear and not be a default option for anyone who provides an email address, or clicks one of the boxes on forms.
If a user of your data refuses or withdraws their consent it is your responsibility to cease using your personal information (unless another legal basis is there). Keep a record regarding the reason for refusal and cancellations of consent. Also, you must inform them of any additional legal basis in processing their information.