Modal
Menu

2.2 Design

TPOmap supports the design phase of a Privacy Management Program in the following ways:

2.2.1 Establishment of a record of processing activities

Under the GDPR (art. 30), each controller and each processor of personal data (as defined in art. 4 GDPR) must properly document the way they handle personal data. This means that whenever personal data (i.e. information about an identified or identifiable individual) are collected and used for a given purpose, certain mandatory information must be registered in a “record of processing activities”.

Pursuant to art. 30 GDPR, a record of processing activities shall be a written document that is also available in electronic form. It shall be made available to the supervisory authority on request. 

Based on our experience, we think that accountability for documenting records should be divided amongst different staff members in order to support ownership and reduce the related documentation work per person to a minimum.

Therefore, it has been decided to complete one processing sheet per processing activity instead of creating one record for all processing activities. In such a way, processing sheets may be created/ maintained & modified by different staff members in parallel. There is no need for one person to draft them all.

Supporting the creation, validation and maintenance of the record of processing activities is the topic of Part 7.

As part of the documentation of the record of processing activities, Art. 30 GDPR requires, where possible, a general description of the technical and organisational security measures referred to in Article 32(1). Since such measures are generally not depending on a given processing activity but on the organisation(s) responsible for protecting the involved infrastructure (hereafter “Asset owner”), TPO has decided, as part of its methodology, to document the technical and organisational security measures in separate documents called “Technical sheets” related to such organisation.

Supporting the documentation and analysis of the security measures applicable to the personal data processing activities documented in the record is covered in Part 8 of this guide.

2.2.2 Support to the design of a roadmap for compliance

Based on TPO’s consulting experience, searching for the information that is required for establishing the record of processing activities may require time and efforts (ex. searching for contracts or other relevant detailed information). 

However, these efforts usually procure much more valuable information about the processing activities than what is required for compliance with art. 30 GDPR. If possible, it is important to capture such relevant information all at once.

Therefore, in addition to fields where information required by article 30 GDPR can be filled in, TPOmap also contains a series of other fields allocated for centralized documentation of additional valuable data (ex. contracts in place, IT Products used, etc.).

Establishing the connections between these data in a way that provides insights into compliance gaps and corporate risks with regard to the security of processing, the risk of processing and the legitimacy of processing is the overall purpose of the TPOmap Dashboard.

Completing the processing sheets and the technical sheets will support your organisation in becoming compliant with art. 30 GDPR.

In addition, the Dashboard will:

  • Provide you with a series of metrics to assess the status of your organisation’s GDPR compliance and related digital & privacy risks;
  • Allow you to generate a risk-based roadmap for compliance for your Privacy Management Program;
  • Provide you with a series of lists and statistics that will help you to implement this roadmap over time.

2.2.3 Management of policies/tools that facilitate compliance of data processing activities 

Depending on the type of activity and the size of an organisation, it may have some 10, 20, 100 or even more processing activities in its record.

Ensuring compliance of each of these personal data processing activities with GDPR and other applicable data protection legislation may require time and efforts, but the benefits are worth the investment.

The best way to reach compliance is to build a central Privacy Management Program in order to establish a plan in terms of governance. The governance of data protection and security is established by means of appropriate policies/tools approved by the management and disseminated by the organisational structures of the organisation.

As part of its long experience in consulting organisations on data protection, TPO has created a series of policies/tools that can be purchased in order to facilitate compliance of specific processing activities.

Examples of policies/tools:

  • Policies such as Privacy Management Policy for establishing governance, record Retention Policy, Data Breach Management Policy, Consent Management Policy, Information Security Policy for protecting information systems etc.
  • Template Privacy Notices for employees 
  • Template Privacy & Cookie Notices to display on websites
  • Template Controller Processor Agreements
  • Template Joint Controller Arrangements
  • Template clauses to be included in contracts with employees, internal rules, IT providers, consultants etc.

These policies, or any other tools that your organisation might generate over time, should be centrally managed. This is the purpose of TPOmap’s Documentation Center that allows to save these tools in one central folder, accessible to relevant stakeholders based on their role in the Privacy Management Program.