Under GDPR most business have an obligation to keep an inventory of their data processing activities in relation to personal data. This is no mean feat and it is more onerous than it looks at face value. Trust me, I know, I’ve been through it.
In this post I will share my experience, best practice and tips on how to go about building your own inventory of data processing activities.
Tips, Considerations, Do’s and Dont’s
- As with any project of this size and please do not underestimate the enormity of this undertaking even if you are a small business, it is important to define the scope.
- Limit yourself to only those processing activities that concern Personally identifiable information (PII).
- Business to business may still be applicable. Do you work with self employed, free lancers, companies whose employees email addresses contain their name and surname? News Flash that is still PII.
- IPs are considered personal data, so be sure to check with your IT what monitoring activities are carried out on your systems and whether the IP numbers are collected. One commonly used tool that escapes notice is Google Analytics or similar.
- Do not forget about logs. Most systems nowadays keep logs for auditing and debugging purposes – if they don’t they should. Logs may sometimes be more detailed than you would expect and some PII may be lurking in there.
- It is not only about the service or product you provide, you have suppliers and employees.
- Don’t forget that for data concerning your employees you are the controller and you may even have sensitive data related to health for health insurance purposes and financials for payroll processing purposes.
- Marketing activities may come from HR as well in the form of recruitment drives.
- Your Finance department may be sharing more information than you realise to apply for grants and tax benefits which may require disclosing information about employees to government authorities.
- Spreadsheet programs won’t cut it for this type of record keeping. Source out a good GRC tool. I recommend LogicGate.
- Don’t forget that processing activities, include Collection, input into systems, output, manipulation, analysis, extraction of statistics, and storage.
- Don’t forget that inputting of data into a system that is hosted with some other company is considered a transfer of data requiring even more information to be recorded.
- Build a simple questionnaire with the basic questions to send to all business units. Do not try to gather all the information in one questionnaire as most will get discouraged or have other priorities and won’t have time to fill it up.
- Build further questionnaires based on the answers of the initial questionnaire to be sent to business units, if and when clarifications are required.
- Legal is your friend. A lot of the information you will need can be found within contracts and data processing agreements.
- Do not have a processing activity per department if it is the same thing. Group them as it is a never ending and thankless task. For example if both your support team and developers investigate defects and require access to client data for this purpose consider that as one activity.
- Do take the time to segment and group the information you require to avoid as much duplication of data as possible. Believe you me, you will have more data than you will know what to do with it. Scouring through duplicates and repeated information is not an activity you need to do.
- Do cross check your data processing activities with the risk department. They may already have recorded risks that help you discover processing activities that no department mentioned.
- Do cross check with your IT department, they usually have a record of all IT systems used be it internally or externally for the purpose of controlling access. If a system exists there is a good likely hood that some processing activity is being performed.
- Storing of data can occur in the physical realm. Don’t forget to ask about any filing cabinets or drawers where hard copies may be stored.
- Usernames for the purpose of accessing a system are also considered personal data.
- Do take the time to explain to each business unit the importance of this exercise and what is the expected outcome.
- Do take the time to provide each business unit with relevant examples. As you may not be an expert in their area, they may not be experts in compliance and GDPR.
That’s a lot of things to consider and that is only the tip of the ice-berg. I guess this topic warrants another post or two, perhaps to identify the specific information one would need to gather for each activity.
If that sounds like what you need, drop us a comment or stay tuned.
Update: A new post detailing in 5 steps how to design your data processing activities inventory.