As a Controller, it is pretty challenging to meet the requirements of GDPR without great records detailing where, what and how personal data is processed. If you’re an organisation with more than 250 employees, there is a requirement to document your processing activities (See Article 30) but if you’re one of those organisations with less than 250 people, then you have a [partial] get-out-of-jail card. The thing is, even if it’s not mandatory, it’s still incredibly useful to document processing activities. This will help you comply with all the other aspects of GDPR you are still ‘on-the-hook’ for. In this brief article, we will look at 7 items which all organisations – small or big – should (or in certain cases must) include in a GDPR process inventory of their processing activities.
1 – GDPR Process Inventory – Contact Details
This is basic information about the Controller and the role of the person who is going to be the custodian of the Processing inventory. A good custodian would be the Data Protection Officer (DPO) but doesn’t have to be. If you don’t have a DPO, consider assigning custody to the person who is responsible for notifying the Supervisory Authority (e.g. ICO) should there be a data breach. If there is a data breach, the Supervisory Authority may request this information so always useful to know where it is!
2 – Process Owner
For every process, there really needs to be an owner assigned. GDPR doesn’t explicitly mandate an Owner is assigned but let’s face it – if no-one owns the Process, the organisation is going to find it a little challenging to demonstrate the accountability and transparency which is at the heart of GDPR. It’s a complete waste of time to assign ownership to a department – it must be assigned to a specific role held by a person of appropriate seniority (e.g. Head of HR or Head of Marketing) to realistically demonstrate accountability.
3 – GDPR Process Inventory – Purpose and Description
In your GDPR processing inventory, there are three items which must be recorded, which we will get to in a minute. In addition to those items, the inventory should also include a link to a more detailed description and a data flow diagram. For those who have never created a data flow diagram, don’t try and make something up, use a methodology such as Business Process Model and Notation (BPMN). BPMN is really easy to learn and there are lots of free resources available both to learn BPMN and to create BPMN diagrams. By using BPMN organisations can significantly reduce the amount of time required to explain the activity because everyone will have the same reference point!
So on to what should be in the GDPR processing inventory. Article 30 states the purpose of each processing activity must be recorded. This should be a simple plain language statement as short as a verb-noun pair (e.g. Remunerating Employees or Profiling Customers) but could be longer if required.
In addition to the purpose, a description of the Data Subject categories must be documented too. These could include Employees, General Public, Customers/Clients. Try not to use too many categories as this can increase the effort required to maintain the inventory or gather useful analytics to support data protection governance activities.
Finally, the categories of personal data involved must be documented. One approach is to use the personal data categories suggested in the ENISA Personal Data Breach Assessment Methodology which are:
Simple: Eg. biographical data, contact details, full name, data on education, family life, professional experience, etc.
Behavioural: Eg. location, traffic data, data on personal preferences and habits, etc.
Financial: Any type of financial data (e.g. income, financial transactions, bank statements, investments, credit cards, invoices, etc.). Includes social welfare data related to financial information.
Sensitive: Any type of sensitive data (e.g. health, political affiliation, sexual life).
Another key advantage of using the ENISA categories is that you will be in a much better position to assess the impact of data breaches and whether a breach has reached a reportable threshold – your inventory is already adding value!
4 – Third Parties
Record information about the categories of third parties to which personal data is shared. This could be a Processor, it could be Referees (e.g. in an employment context) or it could be a government agency (e.g reporting tax information to HMRC). Again, this information is valuable as it lets you know where data is leaving the organisation. It will also be a good starting point for assessing where contracts need to be reviewed and prioritised for updates (i.e. tackling Processing with most risk first).
5 – GDPR Process Inventory – Transfers to Third Countries
A Third Country is any country that is not a member of the EU. There are restrictions in regards to transferring personal data to third countries so as a controller you would want to know if this affects you and that the transfer is lawful. It’s therefore important to record information about data transfers outside the EU and the lawful basis you are relying upon. It’s worth noting that even if you are transferring data within your own organisation (e.g. to another office in a third country), the transfer restrictions still apply.
6 – Retention Periods
A fundamental principle of data protection is to only keep the data for as long as it is required and no longer – so how do you know what is too long? Typically there are two primary scenarios – a legal minimum retention period exists or it doesn’t. What an organisation should do is; first, identify where legal minimum retention periods exists and decide whether there is a requirement to keep data any longer than the minimum required by law – if not the legal minimums should really be the Controller’s maximum. Where data is required for longer an internally derived retention period should be justified and then recorded. Similarly, where no legal minimum exists a retention period should also be determined, justified and recorded.
In complement to the GDPR inventory, an organisation should also have a Records Management policy which incorporates retention periods but may instead, choose to have a standalone Records Retention policy. Periodically, or on a change, the Processing Inventory and the Records Retention policy should be cross-referenced for completeness (and updated when necessary). As a side note, it’s worth highlighting there is a principle called ‘Legal Hold’ whereby data is preserved in anticipation of legal action. In such cases, personal data may be held for longer than the originally determined retention period. Controllers need to have controls in place to stop internal (and external Processors) from destroying records which are covered by a Legal Hold.
7 – GDPR Process Inventory – Security Controls
There is little to no point cluttering an inventory with a list of security controls but what would be more helpful in the inventory is a link to a Data Protection Impact Assessment (DPIA) which details the technical and organisational security measures that have been built into the Processing Activity. Even if you don’t complete a full DPIA, each processing activity really needs to have an information security risk assessment. What may be of use in the inventory, in addition to the link to the detailed assessment is the following:
Date of Last & Next Assessment: Where change is more frequent, so too should be the frequency of assessment.
Inherent Risk: How much risk is inherent to the processing activity
Residual Risk: How much risk remains after controls have been put in place
Target Risk: The risk level the organisation is willing to accept. This could be higher (if over-controlled) or lower (if under-controlled) than current Residual Risk.
By having the above information accurately recorded and maintained in an Inventory, Senior Management will have a good view of their organisation’s processing activities. Maintaining a Processing Inventory will certainly aid in demonstrating accountability and transparency. In addition to its use as a dashboard for Senior Management, the Processing Inventory will also aid the DPO to prioritise resources, focussing on those areas with the greatest risk or largest gaps in compliance.
About the Author
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 article 28 awareness bcms BIA business continuity calculating risk change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership monitoring operational resilience Outsourced DPO Privacy processor risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools training transparency vciso virtual ciso
