Simplifying the Records of Processing Activities Feature
According to the GDPR, a processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller. Article 30 states that a processor must also maintain “Records of Processing Activities” carried out on behalf of a controller.
Either entered individually, or using the client import template, PrivIQ has made it simpler for a processor to manage and produce the information necessary to maintain Records of Processing Activities.
Under Organisation, select Subscription and select the feature ‘My organisation is a processor for other controllers’. This will reveal the ‘Clients’ feature in the Processors section.
The Controller as Processor section on this page will be discontinued on 30 May 2019. Please provide the information required in the new Clients section under Processors.
What are my first steps?
We recommend that you first create your processing categories.
- 1.Give the processing category an appropriately descriptive name – e.g. ‘Payroll Run’ or ‘Marketing Automation’ or ‘Software as a Service’ etc.
- 2. Provide a brief description of the activities
- 3. Select the country or countries where the processing activities occur
- 4. Indicate whether the processing is Internal (within your organisation) or External to your organisation – in other words, with other processors
- 5. If Internal and you have selected countries outside the EU (in 3. above), you must indicate the ‘Export legal basis’ – (which will most likely be Binding Corporate Rules)
- 6. If External and you have selected countries outside the EU (in 3 above), you must select from your Processors already created in the Processing section.
- 7. Add any relevant notes and then Save
Add all controllers (your clients) on behalf of whom you process, their representatives and DPO’s details (where applicable), then associate each client with the relevant processing category or categories and Save.
Once Saved, you also have the option to upload the signed contract with your client.
What if I have many clients to create?
In the Clients tab, select ‘Client import template’, capture all the details as suggested in the template then import the file using ‘Import clients’.
Please note, after you import clients you will need to check that ‘Processing Categories’ has all the relevant details as suggested in the steps 1 to 7 above. Ensure that all relevant Processors exist under Processor Contracts.
This is an important step because as a processor you shall not engage another processor without prior specific or general written authorisation of the controller.
In the section on Security Measures which sits under Governance/Records of Processing Details, add details that are relevant to the processing activities.
What if I have already used the existing section under Governance?
Any data already captured in the existing section will be migrated to the new section by 30 May, 2019 and the Records of Processing Activities report will include all information from the existing section until then.
This improvement is available since the 24th of April 2019