To make the GDPR requirements and approaches easier for you, here is a step by step outline for how to create records of processing activities.
Make a list of names of all the departments in your company.
As you start with records of processing activities, the very first step that you need to perform is collecting names of all departments in your company. Think of all the functions you conduct in your company. In case you are a startup, there won’t be many divisions of the departments. So take time to think about all your functionalities and organise them in a detailed manner so that you can put every activity in a department.
Fill your basic company information
Considering all the GDPR requirements, you are needed to fill in your basic company information. This information includes the name of your company, contact details of the company’s CEO or Managing Director etc.
Choose a platform for GDPR related work
Next thing you need to decide is how you want to manage all your GDPR related documents together. You can either use Google Docs and keep all the information in one drive or you can even make folders on your internal company network. It is important that you choose an option and store all your documents at the same place to avoid any hassle later.
Find all departments that have processes for personal data
Think of all the departments in your company that use personal data in one or other way. For example, departments like product development, finance department, sales etc. find out which of these are using any user data to obtain in any way. And then make a list of all such departments.
Think of all people responsible for these processes in each department
Remind yourself of all the people who manage the data related activities in each of these departments of your company. Make a list of these people along with their contact details. Also make sure the person you pick is aware of the department with the data and is able to answer the questions related to all department activities. The person need not to be the head of the department but the one who knows about activities related to personal data.
Create a department profile
After you have made both the lists— one with department names and other with details of the corresponding contact person for the department, create a department profile with both these lists combined.
Find an internal data protection officer
Appoint a person in your company who can represent you as Data Protection officer. The person would need some training, should have knowledge of laws or at least their functional understanding. Ideally, this could be your Chief Operations Officer or Head of Legal. In many companies, DPO is the person who leads the records of processing activities.
Officially appoint your DPO
After you are done choosing the desired person, it is time to officially appoint him as your DPO. Sign a document with them and have all the responsibilities mentioned in the document. All of these responsibilities should be in accordance with Article 37 of GDPR record of processing. In case you have hired a company that provides you tools where you can download the document and request the signature, go with the same flow.
Make sure all departments create a list of their activities that use data
Now is the time to check if every department records their activity that uses data anyway. For example, exchange of business cards is an activity where data is involved. Therefore it must be recorded. Such activities should be precisely recorded by the department heads.
Give details of activities
This is a long term task with no short cuts. Go step by step and describe all the activities, nature of the data, data storage and deletion etc. And all these activities are collectively called record of processing activities.
Combine all of the information in one report as the final step of records of processing activities.