A Step-by-step guide on how to create Records of Processing Activities!
Records of Processing Activities (RPAs) is a term that is being thrown around quite a bit. It is also referred to as Procedure Index, Data Mapping, Data Flows among others. It is required by law and consititues the standard format of compliance proof by European data protection authorities. It is a daunting prospect for most companies since only 34% of the companies (vpnMentor, 2018) are on their way to compliance so far. To make it easier for you, we are going to outline all the steps to keep your records of processing activities ready for authorities:
Step 1: Collect the names of all the departments in your company
Think of all the functionalities you have in your company. The departments are not always divided clearly especially if you are a start-up: chances are you don’t really have organised departments. So take a moment, and think of all your functionalities and organise them in a detailed manner so that every activity that you do is put in a department.
Step 2: Fill out your basic Company Information
This includes name of your company, the contact details of the person, usually the company’s Managing Director or Chief Executive Officer (CEO).
Step 3: Pick a platform for all GDPR related documents and work
You need to decide how you want to manage all the documents together. Do you want to use Google docs and keep them all in a drive? Or do you want to make folders on your internal company network and use Microsoft Office? Or would you like a Task Management Software for GDPR? It is important that you pick an option and then stick to it since there will be lots of documents that you would need access to. Keep them in one place so finding them is not a hassle.
Step 4: Now think of all departments that have processes for personal data
Visualize of all the departments in your company that utilise data in one way or another. For instance, Sales and Marketing, Product Development and Finance Department. Are these departments using any user data you obtain in any way? Make a list of these departments.
Step 5: Think of the people responsible for these processes in each department
Imagine all the people who mostly manage the data related activities in each department. Make a list of all these people. It is important that the person you pick knows very well what the department does with the data and can answer questions relating to all such department activities. The person you pick does not necessarily need to be the Head of the Department but rather the one who knows the most about activities related to personal data.
Step 6: Now put the information together to create a department profile
Combine the two lists so that you have the name of the department and the corresponding contact person of the department.
Step 7: Find an Internal Data Protection Officer
Ideally, you need to appoint one person for your company who will act as the Data Protection Officer. This person can be anyone from your company and would later need some training or would need to read the law or at least have a functional understanding of it. Ideally, this could be your Chief Operations Officer or Head of Legal. Usually, DPO is the personal also leading the records of processing activities.
Step 8: Sign a document with them to officially appoint them as your DPO
In order to officially appoint the chosen person as your DPO, you need to sign a document with them. Outlining their responsibilities and the purpose of the role in line with the Article 37 of the GDPR. Our tool provides you with the document that you can then download and request a signature for.
Step 9: Every department makes a list of all their activities that use data
So ideally, each department should records the activities that process data. For instance, personell files would be one activity in the HR Department. Providing email services is an example of the IT department.
Step 10: Give details of each of this activity
This is the tedious long-term task that has no short-cuts. You need to go step by step and define this activity. There are a few important points that you need to write down for each of these activities. Theses activities collectively are called records of processing activities. Let’s go over these points one by one.
Step 10.1: Description of the Activity
This would include what the activity is and who is the contact person responsible for the activity. For example, IT for Employees and someone in the IT department would be responsible for it.
Step 10.2: Purpose and Legal Basis of the Activity
The GDPR states that you have to explicitly mention how this activity is aligned with the overarching purpose or vision of your company. If it uses personal data of people, you need to show the legal justification of how you are obtaining this data from people: is it through consent for instance? Or a processing of a contract? This is the most critical part of records of processing activities since people confuse the legal basis while adding their processing activities.
Step 10.3: Data Collection and Data Processing
In this part, answer the question if you collect Personally Identifiable Information like name, email address, band details etc. If you do, where do you collect it and do you explicitly ask for consent before you get the information? Do you give this data to third parties? If yes, who are they and what do they do?
Step 10.4: Nature of the Data
Whose Data is this? Is it customers, clients, employees or partners? And what is it? Names, email addresses, bank details are some examples.
Step 10.5: Data Storage and Deletion
This is the straightforward part if your processes for this are defined. Unfortunately, most companies do not have processes for this kind of thing. It includes how long you store the data for? What is the exact location of this storage? And when do you delete it?
Step 11: Now combine them all in one Report
The final step of records of processing activities is to reorganize all this information from different departments and people, consolidate it, make sure you are not missing an activity or details of it and put it all together in one place for the authorities.
In small organizations it is possible to do this work in spreadsheets.
If you are researching this information for a larger organization, you might consider an integrated technical solution, like ECOMPLY. Ecomply.io allows you to create one-click reports, provides you with all the templates as well as guidance on what information to put into the different gaps. Our Task Management Tool is based on the legal requirements of the GDPR to ensure that the guidance actually helps you understand what to do.