How to Conduct a Record of Processing for Personal Data to Comply With the GDPR

A year after the law was enacted, nearly one-third of EU businesses were still not general data protection regulation (GDPR) compliant.

Are you a business owner still struggling to understand the rules and regulations? Penalties for failing to protect personal data can result in fines of tens of millions of euros, so you can't afford to be caught unaware.

A vital aspect of GDPR compliance is making a Record of Processing Activities for your company. You might also hear it called an RoPA, Data Flows, Data Mapping, Data processing activities, or Procedure Index.

Whatever you choose to call it, you are required under article 30 to maintain a record of your processing activites. The important thing with these records is to understand your GDPR risks and ensure you're in full compliance. Whether you are a data controller or a data processor (i.e., someone carrying out data processing on behalf of a controller).

Here's a step-by-step guide to protecting personal data of your data subjects with a Record of Processing Activities.

Step 1: Collect Basic Company Information

Start by listing all the areas within your organisation. This can be a challenge for any company.

Either way, create a list that includes every activity your company participates in and divide these into departments. The list should also include the company name and contact details for the Director or CEO.

Step 2: Create Department Profiles

For each department you've listed, think of how they use personal data. For example, your Sales, HR, and Finance departments all use personal data, but for different purposes.

Next, think of the person in each department who is most involved (and best understands) the way this personal data is used. This may or may not be the manager or department head. The person you choose should understand exactly how their department uses data and should feel confident answering any questions related to their work.

Step 3: Appoint a Data Protection Officer

Article 37 of the GDPR states that every business must have a designated Data Protection Officer (DPO). Ideally, this role should go to your Chief Operations Officer or the Head of Legal.

However, it can be anyone you choose, so long as they're willing to learn about GDPR law. Once you've selected the appropriate individual, they'll need to sign a document that officially declares them the DPO.

Step 4: Each Department Details Their Personal Data Activity

The most tedious part of the process is detailing each and every activity that uses personal data. Your department heads will need to provide the following details:

• A description of the data processing activity
• The legal basis and purpose of the activity
• Data collection and processing methods
• The categories of personal (i.e., customers, employees, clients)
• Highlight an special categories (i.e., children)
• Data storage methods and retention periods
• All the security measures you have in place

In short, you need to clearly define what type of data you collect (and from whom), who's in charge of it, and what the processing includes (i.e., what you do with that data during and after using it).

Step 5: Consolidate All Information Into One Report

Now that the hard work is done, your final step is to consolidate your efforts into one file. This becomes your Record of Processing Activities, which you'll then send off to the proper authorities.

Keep Track of Personal Data of all your Data Processing Activities

Are you overwhelmed just thinking about all these steps?

Don't worry — you don't have to go it alone. With Dapple, you can breeze through your compliance responsibilities and get back to running your business.

Dapple allows you to easily create and store all your Data Processing Activities your company handles. Then, your DPO can generate and send those documents directly to your data protection supervisory authority.

Are you ready to see how easy compliance can be? Click here to sign up and try Dapple for your business!