Modal
Menu

2.2 Design

TPOmap supports the design phase of a Privacy Management Program in the following ways:

2.2.1 Establishment of a record of data processing activities

Under the GDPR (art. 30), each controller and each processor of personal data (as defined in art. 4 GDPR) must properly document the way they handle personal data. This means that whenever personal data (i.e. information about an identified or identifiable individual) are collected and used for a given purpose, certain mandatory information must be registered in a “record”.  

Pursuant to art. 30 GDPR, a record of processing activities shall be a written document that is also available in electronic form. It shall be made available to the supervisory authority on request. 

TPOmap provides your organisation with a template for documenting its records of processing activities, called “processing sheet template”.

Based on our experience, we think that accountability for documenting record records should be divided amongst different staff members in order to support ownership and reduce the related documentation work per person to a minimum.

Therefore, it has been decided to complete one processing sheet per processing activity instead of creating one record for all processing activities. In such a way, processing sheets may be created/ maintained & modified by different staff members in parallel. There is no need for one person to draft them all.

Supporting the creation, validation and maintenance of the record of processing activities is the purpose of Module 1 of TPOmap. For further explanations about this Module 1, see Part 5 of this Guide.

As part of the documentation of the records of processing activities, Art. 30 GDPR requires, where possible, a general description of the technical and organisational security measures referred to in Article 32(1). Since such measures are generally not depending on a given personal data processing activity but on the organisation(s) responsible for protecting the involved infrastructure (hereafter “Asset owner”), TPO has decided, as part of its methodology, to document the technical and organisational security measures in separate documents called “Technical sheets” related to such organisation.

Supporting the documentation and analysis of the security measures applicable to the personal data processing activities documented in the records, is the purpose of Module 2 of TPOmap. For further explanations about this Module 2, see Part 5 of this Guide.

2.2.2 Support to the design of a roadmap for compliance

Based on TPO’s consulting experience, searching for the information that is required for establishing the records of processing activities may require time and efforts (ex. searching for contracts or other relevant detailed information). 

However, these efforts usually procure much more valuable information about the personal data processing activities than what is required for compliance with art. 30 GDPR. If possible, it is important to capture such relevant information all at once.

Therefore, TPOmap’s processing sheet template contains not only fields where information required by article 30 GDPR can be filled in but also a series of other fields allowing for the centralized documentation of additional valuable data (ex. contracts in place, IT Products used, etc.).

Establishing the connections between these data in a way that provides insights into compliance gaps and corporate risks with regard to the security of processing (Module 2), the risk of processing (Module 3) and the legitimacy of processing (Module 4) is the overall purpose of the TPOmap Dashboard.

Completing the processing sheets and technical sheets will support your organisation to become compliant with art. 30 GDPR.

In addition, the TPOmap Dashboard will:

  • Provide you with a series of metrics that allow you to assess the status of your organisation’s GDPR compliance and related digital & privacy risks;
  • Allow you to generate a risk-based roadmap for compliance for your Privacy Management Program;
  • Provide you with a series of lists and statistics that will help you to implement this roadmap over time.

2.2.3 Management of policies/tools that facilitate compliance of data processing activities 

Depending on the type of activity and the size of an organisation, it may have some 10, 20, 30 or even 100 or more processing activities in its records.

Ensuring compliance of each of these personal data processing activities with GDPR and other applicable data protection legislation will require a lot of time and efforts. 

A way to achieve this goal is to build a central Privacy Management Program. This Privacy Management Program makes it possible to establish a programme in terms of governance. The governance of data protection and security is established by means of appropriate policies/tools approved by the management and disseminated by the organisational structures of the organisation.

As part of its long experience in consulting organisations on data protection, TPO has created a series of policies/tools that can be purchased in order to facilitate compliance of specific processing activities.

Examples of policies/tools:

  • Policies such as Privacy Management Policy for establishing governance, records Retention Policy, Data Breach Management Policy, Consent Management Policy, Information Security Policy for protecting information systems etc.
  • Template Privacy Notices for employees 
  • Template Privacy & Cookie Notices to display on websites
  • Template Controller Processor Agreements
  • Template Joint Controller Arrangements
  • Template clauses to be included in contracts with employees, internal rules, IT providers, consultants etc.

These policies or other tools that your organisation might generate over time should be centrally managed. This is the purpose of TPOmap’s Documentation Depository that allows to save these tools in one central folder accessible to relevant stakeholders based on their role in the Privacy Management Program