The GDPR has a number of requirements for the processing of personal data. For example, you should not process more personal data than is necessary, you may only process the personal data for the purpose for which they were collected and you should keep a record of which personal data you process for which purposes. But do you actually know which personal data is processed within your organization? And how are you going to find out? In this blog you will learn more about how to find out.
Compliance with the GDPR starts with a thorough inventory of the data processing that takes place within the organization. However, this is easier said than done. Because how are you going to find out which personal data is processed within your organization and why the data is actually processed? And what do you actually want to know?
A good starting point for finding out which personal data is being processed is the processing register. That is, if the organization has the processing register in order. Finally, the processing register is in fact an overview of what exactly happens with personal data within the organization. You include at least the following information in the processing register:
- the purposes for which personal data are processed;
- the categories of data subjects;
- the categories of personal data;
the categories of recipients;
- whether personal data is transferred to third countries, and if so, which country it concerns and (if transfer takes place on the basis of Article 49 GDPR)
- what measures have been taken to protect the personal data;
- the intended period within which the personal data will be kept and why; and
a general description of the technical and organizational security measures.
If you do not have the processing register in order, you will want to find out the above information during the inventory. The easiest way to find out the information is to have conversations with employees from the different departments within the organization. This includes, for example, the managers of the departments, but also the employees who have to deal with personal data in their daily work. It is precisely these employees who will have a good insight into which personal data is actually being processed and what the data is needed for. In addition, they know which systems they work with and who can therefore possibly be regarded as recipients of the personal data.
To ensure that you do not forget anything, you can work with a standard questionnaire, which is based on the information that you must include in the processing register. With this questionnaire you can approach the various employees, but you can of course also send it to the mail and ask the employees to complete it themselves. Because organizations develop and legislation can change, it is important that the inventory is repeated at least once a year. In this way you can be sure that you are kept informed of the personal data processed within your organization.
What to do with the information gained?
Have you completed the inventory and do you know exactly which personal data is processed within your organization, why this happens and how? Then you’re not quite there yet. The next step is to include this information in the processing register. That way you also immediately take a good step towards meeting your accountability obligations. From the processing register you can then continue working towards the other obligations from the GDPR, such as the information obligation towards data subjects. But remember: GDPR compliance starts with a thorough inventory!