REGISTER OF PERSONAL DATA PROCESSING ACTIVITIES: HOW DO YOU COMPLY?
La new data protection law (nLPD) will come into force on 1 September 2023. It is accompanied by a new Data Protection Ordinance (OPdo).
According to theArticle 12Under the Data Protection Act, companies employing more than 250 people must set up a register. This lists the different types of personal data processed.
Contents of the register.
This register must contain the following information in particular:
- identity of the data controller
- purpose of processing
- description of the categories of data subjects and the categories of personal data processed
- categories of recipients
- the retention period or the criteria for determining the retention period
- security measures to protect data
- the countries where the data is stored and security guarantees
Contents of the register.
This register must contain the following information in particular:
- identity of the data controller
- purpose of processing
- description of the categories of data subjects and the categories of personal data processed
- categories of recipients
- the retention period or the criteria for determining the retention period
- security measures to protect data
- the countries where the data is stored and security guarantees
In practice, how do you go about it, and where do you start?
Drawing up this register requires the involvement of all the departments in your organisation. Every department in your organisation is likely to handle personal data. It is therefore a cross-company approach.
This register does not contain the data itself. It contains the categories of data. For example, we will mention that we collect the names of participants in a training course, but we will not indicate the names themselves in the register. The register of personal data processing activities can be compared to the inventory of thematic sections in a library. But without the contents of the books!
Stages and communication
The first step would be to inform the heads of department and/or process managers of the new developments. To do this, you can use the documents available at federal level, such as those on the Federal Data Protection Commissioner.
Each manager should then add to this register. They must record the data processed in their process.
In practice, drawing up the register of processing activities involves making connections with other elements of your organisation. For example, the information systems used to store the data, the list of departments, the processes involved, the list of data controllers, etc. Without a suitable tool (such as a simple Excel spreadsheet), this can become complex to document.
Using the right tool
That's why we've developed the Data Management module in SIRIS+. It allows you to easily create your register. And integrate it with your organisation's processes and departments.
Do you need short, effective and pragmatic support to help you achieve compliance? You can contact us using the form below.
