Many companies are not yet compliant with the new European privacy rules (GDPR). Some have quickly picked a privacy statement from the internet and put it on their website. But that is not enough to meet the documentation obligation. Meaning: keeping a paper trail of the personal data you encounter.
Two birds with one stone
By keeping an internal register of processing activities, also called a data register, you can kill at least two birds with one stone. Because you record all your personal data activities in the register, you are making the first and most important step in complying with your documentation obligation.
Is there a sample document for the data register?
Secondly, keeping such a register is also legally required. For a while there were doubts as to whether small companies also had a register obligation, but according to the Data Protection Authority, practically no one escaped. As soon as you have one customer, supplier or staff member, you must maintain a data register.
No, there is currently no official example document of the data register. All registers are allowed as long as they contain the legally established minimum content. The Data Protection Authority does, however, make a model of register available on its site. However, since that is a blank model, it can be quite time-consuming to start from that sample document.
Do I have to disclose the register?
Looking for a simple and user-friendly register? Surf to our e-shop.
No, unlike your privacy statement, the data register is not intended for the outside world. No one else has any business with it other than yourself, your authorised employees and the Data Protection Authority.
What should be in a GDPR register?
But ... once you have completed the data register, you can use those insights to prepare a correct privacy statement for the outside world. The third fly in one fell swoop!
First of all, you must include the contact details of the controller. That is the company that is ultimately responsible for the personal data. If you have appointed a Data Protection Officer, state this as well. Optionally you can also state with which processors you collaborate. That is not a bad idea at all within the context of your documentation obligation! Then enter the real register. Here we are going to walk around the company, so to speak, and make an inventory of all data processing activities:
Ready! What do I do with the register now?
- What personal data do you process? (e.g. e-mail address, mobile phone number, photos, etc.)
- From whom do you process data? (e.g. B2C customers, employees, interesting contacts, etc.)
- Why do you process the data? (e.g. customer management, direct marketing, job applications, etc.)
- With which third parties do you share the data? Third parties inside or outside the EU?
- How long do you keep the data?
- What legal basis do you use for the processing? (e.g. consent, execution of contract, legitimate interest)
- What measures do you take to keep the data safe? (e.g. password check, backups, processing agreement)
Ready with your register? Then save it in a central GDPR folder, where you collect everything concerning your documentation obligation. This way you can show with one click that you take privacy seriously.
Note, you must maintain the register so that it is always up-to-date. Save the old versions of the register as a kind of ‘paper trail’. Finally, make backups of it, so that the registry is not lost in the event of a crash or break-in to your systems.
Every company, large or small, has to deal with personal data. Securex is happy to help you with documents or customized advice.