4 Steps to Identify Data Processing Activities

If you embarked on a journey to identify data processing activities in your organization, the good news is that you have taken the right direction in building your GDPR-compliant privacy program.

However, the identification of data processing is not a one-time task but rather an ongoing activity since organizations are like living organisms, with different organizational units creating new products and services, changing partners and vendors, and evolving IT systems.

A part of organizational culture should be reporting to the DPO when data processing is involved. The Data Protection Officer should know how an organization or business consumes data and have a clear overview of data processing.

To help you create a GDPR-positive environment in your organization, we have put together four steps for a DPO or a privacy program leader that should be done to identify and record the processing of personal data successfully.

1. Define privacy responsibilities

The division of responsibilities should be the first thing you will tackle.

The division of responsibilities should be the first task to tackle.

Privacy responsibilities can be defined with an executive management privacy program, sponsor, and a clear vision and mission statement.

Every processing activity should have a defined owner responsible for recording and updating privacy information and technical details about the activity.

The definition of ownership will depend on the chosen privacy governance model. However, it is recommended that an owner be involved in the business decisions around the processing.

For example, a marketing manager should be responsible for updating records of processing for marketing purposes, like marketing campaigns, visitor tracking, or newsletters.

The Data Protection Officer can schedule a regular process of updating the records of processing for marketing and assign it to the marketing manager.

The marketing manager will then collect all the needed information from the employees working in the marketing department and update the records.

2. Work closely with different organizational units

When responsibilities have been assigned, it is essential to keep working closely with different business units through cooperation with the stakeholders.

DPO needs internal partners, such as marketing, human resources (HR), legal, risk management, security, and IT.

Depending on your organization’s industry and business, the corporate culture of your organization, and the personalities of the various members of your management team, the executive managers and internal partners will each have some level of involvement.

For the DPO, working closely with stakeholders should include:

• Becoming aware of how different stakeholders treat and view personal information
• Understanding their use of the data in a business context (purpose)
• Assisting with embedding privacy requirements into their ongoing projects to help reduce risk
• Offering solutions to reduce the risk of personal information exposure
• Creating and distributing surveys and scheduling tasks for updating processing activity records

3. Educate and Provide Advice

Employee training on privacy matters should be a mandatory component of the Privacy program. While it's not required for the Data Protection Officer (DPO) to conduct the training, they should oversee its organization and development.

The training should cover procedures for recording and updating records of processing activities, as well as how to respond to surveys related to processing. It should emphasize the significance of privacy and the importance of maintaining accurate and current records of processing.

Employees may encounter uncertainties regarding what information should be included in the records, underscoring the need for the DPO's guidance. Therefore, efficient privacy collaboration tools between the DPO and other privacy stakeholders are essential.

4. Monitoring Progress

Producing executive reports detailing the privacy status, including associated risks, should be a key outcome of the Privacy program. These reports should encompass the current state of the discovery process.

Ideally, with an established program, all data processing activities should be identified and managed through regular updates to the information.

The Data Protection Officer (DPO) is responsible for overseeing progress and should be informed about newly identified processing activities or any updates regarding existing processing.

Additionally, the DPO should coordinate tasks for stakeholders and provide support to help them achieve their objectives. This assistance involves offering advice and resolving disputes that may arise from conflicting information collection.

How to create and maintain compliant ROPA

Your data processing inventory has to be up-to-date with your organization's data processing. It should not just be a list of records containing information mandated by the regulation, as it can be out of sync with the real processing.

This is most easily done using specialized Data Privacy software that provides functionalities for effective collaboration and built-in intelligence to record privacy-related information and integrate it with other systems and data.

The most common method of creating a data processing inventory is to create ROPA in an Excel spreadsheet, and there are a lot of free and well-structured templates available on the internet for record-keeping for GDPR Article 30.

It should be noted that the GDPR only specifies the information that an organization needs to record, not the structure and format for maintaining the records.

Excel can only be a good place to start with record-keeping for small and medium companies.  However, a centralized inventory should be created and integrated with the organization’s systems and data in the long run.

The complexity of the data inventory will depend on the following:

• Size of the organization,
• Number of stakeholders,
• The volume of personal data the organization is processing,
• Maturity of the privacy program

Nevertheless, the GDPR also demands the implementation of defined policies in accordance with the principles of data protection.

This means that all information from the Records needs to be aligned with business processes and IT systems, and all policies should be applied to the information contained in those IT systems.

One problem with keeping ROPA in Excel is that no automated actions are applied to the data or processes in case anything important changes in the records.

For example, there will be:

• No notifications when there is a new third party added to the processing;
• No actions if a data retention period has changed or expired;
• No automated tasks for stakeholders in case the risk for processing activity is high or critical, etc.

If we compare your Privacy program to a Moon landing program. The DPO is the mission control manager, the stakeholders responsible for data processing are the astronauts, and data processing is like flying to the Moon.

Records of processing in Excel would be like waiting for the astronauts to return before knowing anything about the mission. There would be no way for mission control to know if anything is wrong with the flight in time to help.

That is why it is so important to get control over personal data processing, keep an up-to-date inventory of the processing activities, and a tool that enables different organizational units to communicate and collaborate.