How do you create your GDPR processing register?

What is the GDPR processing register?

 As part of compliance documentation, article 30 of the GDPR provides for the Register of Processing Activities. This is a census and analysis document that gives the opportunity to reflect the reality of personal data. The GDPR Processing Register must make it possible to identify precisely: 

• Stakeholders involved in data processing, such as processors;
• Categories of data processed ;
• The usefulness of this data , particularly in terms of what we do with it ;
• Who can access them and to whom they are sent ;
• How long will this data be kept;
• How they are secured.

In all other respects, the GDPR Data Processing Register can be defined as a tool for steering as well as demonstrating GDPR compliance.

 Thanks to this tool, processed data is documented. This allows us to ask the right questions about the usefulness of each piece of data, so that we can distinguish between those that are useful for processing purposes, and those that are not.

The relevance of storing data and protecting it are some of the questions we can ask ourselves thanks to the Data Processing Register. 

Who is affected? As soon as they process personal data, all organizations whether public or private and regardless of their size, are obliged to set up a GDPR Data Processing Register.

However, if there are fewer than 250 employees, it can be reduced to include only part of the personal data processing activities.  

For more details on provisions and subcontracting, consult the site of the CNIL (National Commission for Information Technology and Civil Liberties).

GDPR processing register: 2 categories of activities

Before setting up a GDPR Processing Register, any organization must identify whether it is acting solely as a controller or as both processor and controller. Indeed, the GDPR defines specific obligations for each of the two types of registers. 

The data controller's register

This register must identify all data processing carried out by the organization itself (since it is the data controller). 

Technically speaking, a log sheet must be drawn up for each activity. 

The processor register

Unlike the controller's register , the processor's register must make it possible to identify all the categories of processing activities carried out on behalf of clients. 

Here again, for each activity, a log sheet must be drawn up, as for data hosting or IT maintenance, for example. 

The difference between the two registers is that the first is set up when the organization is itself responsible for personal data, whereas the second is set up when the organization acts as processor. 

Download a sample data processing register

Use the CNIL (National Commission for Information Technology and Civil Liberties) sample data processing register to draw up your company's data processing register.

Download

Drawing up your own GDPR processing register

Gather available information

- Identify and meet the operational managers of the various departments likely to process personal data;

- Analyze the website and identify data collected in online forms;

- Use the list of processing operations declared to the CNIL (National Commission for Information Technology and Civil Liberties).

Drawing up a list of treatments

- List the various activities requiring the processing of personal data ;

- Use the information gathered during interviews ;

- Fill in a log sheet for each activity.

Refine / specify

- On the basis of this register, identify and analyze the risks that may weigh on the data processing implemented;

- Draw up a GDPR compliance action plan.

Updating your GDPR processing register

💼 There are numerous functional as well as technical developments in data processing. Consequently, the data processing register must be updated on an ongoing basis in line with changes to the conditions under which the various processing operations are implemented. Examples include the collection of new data, or an extension of the Data retention period. 

Example of a GDPR processing register

As is the case for all data controllers, the CNIL (National Commission for Information Technology and Civil Liberties) has set up its own processing register, enabling it to identify in detail all these processing activities. In order to set the best possible example, the personal data regulator has decided to make this processing register public, with explanations. 

📌 You can view it, by clicking on the "Download" button on the right of your screen.