Privacy Company advisors talk GDPR: Privacy by Design & Default and the register of processing activities

August 15, 2018

The GDPR is at the heart of our team's work. This means that we work with it on a daily basis, analyse the texts, understand the obligations and, in particular, translate them into practical tools for our customers. Which article do our colleagues prefer to work with? How do we help our customers to implement the articles? In this blog series our team is talking, each about one specific article. Today, the blog post is discussing the principles of Privacy by Design & Default and the obligation to create a register of processing activities!


When you process personal data as a controller or processor, you have a number of general obligations. One of these obligations is that when processing personal data, you must ensure that privacy is guaranteed from the moment of development until the last use within the products and services. It is also important that you, as an organisation, protect the person involved by putting the settings and functions of these products on the most privacy-friendly stand by default. Cora writes the following about these principles:

Taking privacy into account in the development of new products and processes, requires to take the most privacy-friendly attitude as the starting point. During my work, I see that implementing privacy can be experienced as difficult. But when the importance is recognized, and the awareness of the possibilities of privacy comes up, the most inventive and surprising ideas emerge to make the product or process workable and privacy friendly.


One of the other general obligations of the controller and, to a lesser extent, of the processor is to establish and maintain a register of processing activities. This obligation means that for each processing activity you have to register a number of things, such as the purpose, the relevant categories of data subjects/personal data and the recipients of these personal data. Sterre writes the following about the obligation in Article 30 of the GDPR:

I think this is one of the most time-consuming obligations for organisations. A participant in one of our trainings gave the nice comparison that you can see it as the "accounting" of the personal data. And this bookkeeping can be set up in several ways. Some organisations choose to use an Excel template, while others use specialized software. Setting up the register can also be a good opportunity, in combination with data management, to create more effective and efficient business operations.

Curious about which other parts of the GDPR our colleagues are going to tell you about? In the next blog post, Erwin and Anouk will tell you about the obligation to report data leaks!