Previously in our Guide to Data Privacy and Security, we discussed all the intricacies of third-party management and why companies should have a process to assess and monitor suppliers. Now it is time to discuss the flow of your data – how it is categorized, mapped and what is legally required by privacy regulations such as the GDPR and PIPEDA.
Article 30 of the General Data Protection Regulation, describes the necessary steps to properly record processing activities and outlines the process you should follow to create your Records of Processing Activities (RoPa).
It’s All About Control & Accountability
Keeping your records, processes and information updated is part of your daily routine as a privacy professional. Organizations must demonstrate that they are completing their RoPA as expected in compliance with regulations which requires taking inventory of risky activities and continuously monitoring them. Establishing the RoPA is a focal point if you are managing a privacy program as it enables you to identify where personal data is being processed, who is processing it, and how it is being processed.
When it comes to managing risk and compliance, a risk-based approach helps you assess your inventory of information assets and applications and determine the appropriate level of security and controls deemed necessary to protect said data.
According to the Information Commissioner’s Office, your RoPA should help to identify:
- your organization’s name and contact details, whether it is a controller or a processor (and where applicable, the joint controller, their representative, and the DPO);
- the purposes of the processing;
- a description of the categories of individuals and personal data;
- the categories of recipients of personal data;
- details of transfers to third countries, including a record of the transfer mechanism safeguards in place;
- retention schedules; and
- a description of the technical and organizational security measures in place.
Mapping The Flow Of Your Data
You must maintain an internal record of all processing activities carried out by any processors on behalf of your organization. This is another reason why keeping an updated list of vendors and applications being used at your organization is so important. It should be part of this inventory-specific vendor categorization based on the categories of data they process.
Creating classes of vendors based on the sensitivity of data they process and store will make your job easier. This is how you can classify these third parties:
- Public information
- Internal confidential information
- Client Personal Identifiable and confidential information
- Sensitive information
This information must be used as direct reference material to your Data Map.
Creating visual data maps demonstrating the flow of your clients’ data is fundamental to developing an exhaustive data privacy and security program. The links between your system and the different applications used to support your operations must also be considered as processing activities necessary to compose your RoPA.
The main benefits of keeping documented data flows and records of processing activities are:
- Ensure protection by design and default throughout the entire data life cycle.
- Determine data redundancies.
- Monitor deletion and retention policies.
- Respond more quickly and accurately to data subject requests.
- Mitigate any risks associated with processing.
What Do You Need To Set Up Your RoPA?
Setting up your Records of Processing Activities can be broken down into the following steps.
- Maintain an efficient supplier management process.
- Categorize all third parties based on the type of data they process.
- Create a data mapping to identify what data you store and where it is stored.
- Conduct a risk assessment based on each segment of your processing activities.
- Review your privacy and security policies, and ensure data processing addendums (DPAs) are in place with all third-party vendors considering the risks associates with sub-processing.
- Discuss the results and the actual state of your RoPA with internal stakeholders.
Guide To Data Privacy And Security
Part 2: Policies and Procedures
Part 3: Accountability
Part 5: Supplier Assessment Process
Part 6: Data Processing Agreements
>> Part 7: Data Categorization and Mapping
Part 8: Privacy Assurance
How Can StandardFusion Help?
StandardFusion is a comprehensive software that enables you to manage your entire governance, risk and compliance program in a single application. With extensive third-party management capabilities, you can minimize risk by registering, tracking and categorizing vendors based on your own preferences and criteria. Conduct risk assessments and analyze all risks identified in your RoPA and maintain all past records for future reference or compliance. Connect with our team and learn how to create your own audit framework and assess your internal Records of Processing Activities using StandardFusion.