Misunderstanding 3: Register of Processing Activities

March 21, 2018

In the blog series The 7 biggest misunderstandings about the GDPR, we settle the 7 most common misunderstandings. This week we are dealing with the register of processing operations.

An important principle when processing personal data is accountability. This means that the controller (and the processor) is responsible for compliance with the General Data Protection Regulation (GDPR) and can demonstrate this compliance. An elaboration of the accountability is the Register of Processing Activities. It is a widespread misconception that such a register would only be compulsory for large companies. Almost every organisation is required to keep a register of processing activities.

From duty to report to duty to register

Under the EU Privacy Directive and its national implementation laws, companies still had to report processing operations to the Personal Data Authority. The Authority kept a register of the processing operations notified to it. This register was open to public inspection free of charge. Under the GDPR, this 'duty to report' is replaced by a 'duty to register'. Instead of reporting processing operations to the Personal Data Authority, organisations must now keep records of processing operations in their own register. Caution! Reporting data leaks remains mandatory under the GDPR.

What is the obligation to register?

Article 30 of the GDPR requires the controller (and to a lesser extent the processor) to keep records of the processing operations they carry out. There is one exception: companies and organisations employing less than 250 employees are exempt from the obligation to register, unless the processing is risky, the processing is not incidental, or the processing concerns special categories of personal data or criminal data.

This means that a small business which carries out some non-recurring processing operations is already subject to the obligation to keep a register. And this is the case with most (small) organisations. A non-recurring processing of personal data is any processing of a structural or permanent nature. These are processing operations that almost every small business carries out, such as keeping payroll records, a customer database, and even the use of e-mail. In other words, the exception has so many hooks and eyes that hardly anyone falls under it.

For the sake of clarity, the following is a further indication of when the obligation to register does apply:

  • For enterprises or organisations with more than 250 employees
  • When high-risk processing is carried out
  • When non-recurring processing operations are carried out
  • Where special categories of personal data or criminal data are processed

What is in the register?

First of all, the register shall contain the contact details of the owner of the register and, where applicable, of the Data Protection of the organisation. In this way, the parties involved know who they can contact if they have any questions about their data. It also includes the various processing operations carried out, the processing objectives for each processing operation, a description of the categories of data subjects and which personal data of these people are processed. In addition, it is laid down whether personal data will be transferred to third parties, who these parties are, and whether there will be a transfer to third countries. It shall also record in the register, if possible, which data are retained for how long. Finally, it describes in general terms the technical and organisational measures taken to ensure the security of personal data.

You see that keeping a register of all the types of processing you do can become a huge administrative burden. But it doesn't have to be difficult. Privacy Nexus] (https://www.privacynexus.io/) offers a solution. This easy-to-use tool helps you keep track of the registry.