GDPR, data processing register, data fields of register
This blog summarises what must be included in such register to give an overview for those still to carry out this task.
The Regulation specifies what data must be included, but is silent about the requirements for form. We propose to use a simple Excel shreadsheet where a table with hundreds of lines can easily be managed.
Let’s see what fields are in the header of the table, with the terms used in GDPR:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures.
Now, in easily understandable form:
- name of the data processing process (identification of a unit, if applicable);
- purpose of the processing;
- categories of the data subjects;
- categories of the personal data processed;
- place of storage (potentially with breakdown to applications);
- format (electronic, paper-based);
- connected documents;
- data sources (from whom they were received);
- legal basis (the six items specified in the Regulation);
- evidence for the legal basis;
- fact of profiling (Y/N, in the case of yes, a description);
- fact of automatic decision-making (Y/N, in the case of yes, a description);
- period of storage (based on legislation or internal policy);
- persons with right of access (identification by job or position);
- whether data is transferred, to whom (processor, recipient, third country, joint data controller).
Preparation of the table does not require special professional support, data loading may much more so, what we have already done at PS.