STARTUPS, LEARN HOW TO CREATE YOUR GDPR-COMPLIANT REGISTERS OF PROCESSING ACTIVITIES!
Keeping a register of processing activities is mandatory if your startup processes personal data (as controller and processor) with regard to European regulations (GDPR). What are the obligations imposed by Article 30 of the GDPR? How to keep records of personal data processing?
If you don’t know how to answer these questions, this article will help you understand how to create your treatment registers.
1. WHAT ARE THE GDPR OBLIGATIONS?
Unlike in many African countries (e.g. Morocco with the CNDP), it is no longer necessary to carry out prior formalities (requests for authorization or declaration of processing) with personal data protection supervisory authorities within the European Union.
On the other hand, in application of theaccountability principle, startups must implement internal mechanisms and procedures enabling them to demonstrate compliance with data protection rules at any time in the event of an audit.
One of the obligations linked to the principle ofaccountability is the obligation to keep a register of processing activities, whether the startup is acting as data controller or data processor.
2. WHAT ARE THE PREREQUISITES FOR DRAWING UP THIS REGISTER OF PROCESSING ACTIVITIES?
The following are the essential steps to be taken when drawing up data processing registers:
1. Identify the personal data processing carried out by the startup. This mapping of processing operations is carried out via an audit and inventory of the various purposes for which personal data is processed within the startup. To carry out this mapping, it is necessary to :
- Raise the awareness of the startup’s employees on the subject of personal data protection;
- Integrate all current projects into process mapping;
- Distinguish between professions/departments concerned by the processing of personal data;
- Ask the right questions to detect all the processes carried out by the startup. In this respect, it is advisable to target the information requested from employees according to the elements required to establish your processing registers.
2. Identify the qualification within the meaning of the GDPR of the startup for each processing purpose to find out whether it should be quality of “Data controller” or subcontractor(data processor) or even jointcontroller (joint controllers).
Pursuant to Article 4 of the GDPR:
- The data controller is ” the person who determines the purposes and means of processing “.
- The processor is ” the natural or legal person, public authority, department or other body that processes personal data on behalf of the controller.”
Indeed, depending on its qualification under the GDPR, if the startup acts as a controller and processor, it will have to keep two separate registers of processing activities.
3. WHAT DOES YOUR DATA PROCESSING REGISTER CONTAIN?
Depending on your qualification, your data processing register must contain the following information:
| Data controller | Subcontractor | |
| Information | Name and contact details of the controller and, where applicable, of the joint controller, the controller’s representative and its DPO | Name and contact details of the processor(s) and of each controller for whom the processor is acting and, where applicable, of its DPO and representatives |
| Purposes of processing< | Categories of processing carried out on behalf of each controller | |
| Categories of people concerned< | Data transfers outside the EEA – identifying the third countries concerned | |
| Categories of personal data | General description of “as far as possible” technical and organizational security measures | |
| Categories of recipients, including those outside the EEA | ||
| Data transfers outside the EEA – identifying the third countries concerned | ||
| Duration of data deletion | ||
| General description of “as far as possible” technical and organizational security measures |
4. OUR TIPS FOR DRAWING UP TREATMENT REGISTERS
We recommend :
- Indicate only the information strictly required by the GDPR.
- Use a format adapted to the startup (Excel, Word or startup-specific software).
- Use a format that enables rapid export or printing in the event of a request from the supervisory authority.
- Restrict access to registers to those who need to have access in order to carry out their duties.
- Keep registers up to date in the event of changes in the processing of personal data or at least every 6 months
In practice, your records should reflect what is actually and effectively implemented in your start-up.
4. WHY KEEP RECORDS OF PROCESSING ACTIVITIES?
Practical benefits: the data processing register is a management tool that gives you an overview of all personal data processing carried out within your startup. It enables you to comply with theaccountability principle by demonstrating your compliance with the GDPR.
This also allows you to meet other GDPR obligations, for example:
- identify any “sensitive” processing operations requiring an impact analysis;
- ensure that retention periods are proportionate to the purposes for which personal data is processed;
- implement security measures adapted to the processing and categories of personal data.
Avoid financial penalties of up to 2% of the startup’s annual worldwide sales or a €10 million fine (whichever is greater).
