GDPR (7) Records of personal data processing operations
This instalment takes a closer look at the content of the records of personal data processing operations. All controllers would do well to keep such records, even though, strictly speaking, small organisations are not always required to do this.
First of all, you need to draw up a simple list of the personal data that your company or organisation works with. The Belgian Privacy Commission explains the requirements that the records need to meet, which it has grouped together based on six simple questions (Who? Why? What? Where? Until when? How?). The Privacy Commission’s website contains a short summary, a detailed paper and a recently added model register, all of which can be downloaded. However, they are not available in English. The six questions are considered below.
First, your records must establish who the controller is. This means they must contain accurate information about your firm or organisation (including contact details) and the name and details of your Data Protection Officer. If you do not have a Data Protection Officer, your records must identify the person who is to be contacted in the event of any questions, problems, complaints or data breaches.
Large organisations are advised to specify the department or person responsible for individual sets of personal data. This is because the department or person in question will act as the point of contact for information about other matters to be included in the records.
It is essential that you specify the purpose for which you use personal data. The basic principle underlying all privacy legislation, and the GDPR in particular, is that information may only be collected and processed if this is strictly necessary for the intended purpose. Obviously you require contact details in order to communicate with your customers and suppliers. In addition, your company has to collect names and addresses for its sales and marketing activities. Moreover, enriching basic data of this kind with additional information, such as the geographical distribution of customers or the sectors in which they are active, is also desirable.
The Privacy Commission stresses that the purpose must be described in the most specific terms possible and clearly demonstrate the necessity of processing the relevant information. Its paper includes an appendix containing a list of purposes and more precise descriptions that can be used as a tool.
It is also a good idea to consider the legal grounds your organisation has for processing the personal data, although it is not strictly necessary to include this information in the records. In some cases, these grounds will give rise to specific obligations or procedures that need to be followed. You should add that information to the records immediately as it will make it easier for you to check later whether you comply with all the statutory obligations.
Next, you need to record the categories of data subjects (e.g. your customers, employees or visitors) that form the source of the processed personal data that are used for each separate purpose. At this point you also need to indicate the approximate number of data subjects, as this can provide you with an idea of the impact in the event of a data breach.
You then need to specify the information about the data subjects that you keep and use. For example, do you only keep and use names and addresses, or do you also collect information about the data subjects’ age, gender, position and interests? A list of possible categories can be found in the appendix to the Privacy Commission’s note.
It is crucial that you explicitly state whether certain information belongs in any of the special categories (see the second instalment of this blog). This is because special rules and restrictions apply to such information. It is also necessary to identify explicitly any information that does not belong in these special categories but can still be considered sensitive, such as financial information or data related to minors.
For each identified purpose, the records also need to specify the recipients of the processed information. It may be sent to a natural person, or to a government institution or an internal or external processor. All recipients need to be identified by name.
It is important to indicate whether the information will be processed exclusively within the European Economic Area. If data end up outside the European Economic Area, you need to guarantee that the personal data will continue to be adequately secured and that the data subjects will still enjoy the same rights and protection. This must be demonstrated in the records.
As data may only be used for the intended purpose, it logically follows they may not be kept for any longer than is necessary for that purpose. The Privacy Commission has stated that retention periods do not always have to be expressed as a specific number of days, months or years, and formulations such as ‘the retention period prescribed by law’ are also possible.
How are the data protected?
As a controller, under the GDPR you are responsible for the protection of the personal data you process. You need to take all necessary measures to ensure their confidentiality and integrity are not compromised. The data must not be wrongfully published or passed on to the wrong recipients, and they must not be wrongfully altered.
Maintaining complete, accurate records will provide you with a good basis for demonstrating that you exercise due care when processing personal data and that you take your responsibility seriously. It will also provide a starting point for working out your own internal procedures and checking whether these procedures are applied correctly. And, finally, it will also prove helpful when you draw up privacy statements.
Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).
If you have any questions or comments, please write to us at firstname.lastname@example.org.