Data Mapping: Identifying Data and then Following it

Are you bound to keep records of processing under GDPR? Learn more about what your obligations are and get a quick tour of how you can go about it

by

Anghrija Chakraborty

Role: Anghrija is a guest blogger at Kinant. Opinions expressed are her own and not necessarily those of Kinant.
  • More about Anghrija Chakraborty

Are you Obligated to keep Records of Processing?

Article 30 of the GDPR pertains to records of personal data processing.

  1. Does your company employ 250 employees or more?
  2. Your company makes use of scoring, profiling, comprehensive monitoring or use of new and intrusive technologies and such processing is not occassional.
  3. Your company processes special categories of data like health data, biometric data, or personal data relating to criminal convictions, etc.

If the answer is yes to any of the above then,

Upon request, such records will have to be produced to supervising authorities.
Non-compliance can lead to an administrative fine of up to EUR 10 million or up to 2% of the annual global turnover being levied on enterprises (Article 83(4); GDPR).

Resources to Help

Now that we know about the requirement, these templates will help us go about putting these records together.

Steps to Create Records of Processing

For Data Controllers

If you are a data controller, following are some of the information placeholders that you must complete:

Details of the controller

This section should include, but not be limited to, the following:

  • Name
  • Address
  • Postcode/Pincode
  • Telephone
  • Email address
  • Any other address (like an internet address or website)
  • Details about any representative of the controller (if applicable)
The controller could be a natural person, a legal entity, an authority, any other institution, etc.

Details about the Data Protection Officer (DPO)

If you have appointed a DPO (per Article 37 of the GDPR), here’s where you include the details as follows:

  • First name
  • Last name
  • Address
  • Postcode/pincode
  • Telephone
  • Email address
  • Any other relevant address

Identify Data Processing Activities

For each of your processing activities, complete the following information:

  • A brief description of the processing activity
  • Details about the responsible department (including details about the contact person, like, name, designation, email address, any relevant phone number, etc.
  • The purpose(s) of processing
  • Categories of data subjects – employees, job applicants, clients/customers, vendors, suppliers, children, patients, research subjects, others.
  • Description of the categories of personal data (please consider making a distinction between personal data and sensitive or special categories of personal data
  • Information about disclosure of personal data to recipients (include details about the recipient, e.g., internal (this recipient would most likely be an internal department or function and would most likely have authorized access), external (could be a vendor or a supplier that helps you process), an international organization in a third country
  • If data is being disclosed to an international entity in a third country, please fill details of who the receiver is, how is data transferred (model contractual clauses, US-EU Privacy Shield, BCR, etc.)
  • When such personal data is deleted
  • All technical and organizational measures that are in place to secure the personal data.

For Data Processors

If you are a data processor, there would be additional information/details that you will be required to fill. Let’s start with yourself. Include details about yourself, as follows:

  • Details like name and contact (mention whether you are an individual entity or a group of companies, name, address, postcode/pincode, telephone, email address, any website address, etc.
  • If you have a joint processor, include details for them as above.
  • Do you have a representative or an agent? If yes, include details as above.
  • Have you appointed a data protection officer? If yes, include relevant information like first name, last name, address, postcode/pincode, telephone, email address, etc.

Once this is done, try filling up details about the concerned controller (could be an internal team within your company, a client or a customer) that you are processing the specific data for.

  • Information about the client/customer (mention if it is a company, include name, address, postcode/pincode, telephone, email, website address, etc.)
  • The categories of processing that you are performing – view access, shredding, archiving, communication, cloud services, troubleshooting, debugging, hosting certain systems (escribe what system – email, internet, etc.), cloud services, payroll, staff administration, reimbursements, etc.
  • Transfers of personal data to a third country – if yes, then please fill details of who the receiver is, how is data transferred (model contractual clauses, US-EU Privacy Shield, BCR, etc.); if subcontractors are engaged, then details of such subcontractors.
  • All technical and organizational measures in place to secure the data.

Summary

Such registers of data processing are an important part of privacy documentation (mandatory requirement if you have an employee strength of 250 or more). You could have these registers in a written or in an electronic form. Failure to meet privacy documentation requirements may lead up to an administrative fine of up to EUR 10 million, or 2% of your annual turnover.