Unabhängige Kompetenz-Plattform
für Integrierte Sicherheit in der Schweiz.

Record of Processing Activities: Optional for (many) SME's -- tremendously useful to be "GDPR smart"

The European Commission seems to have identified a bit of nervousness around the European Data Protection Regulation (GDPR), released by the EU in 2016. In anticipation that the GDPR will enter into effect on 25 May 2018, the Commission sees it is advisable to inform the public directly about what needs to be done to comply with the GDPR.

Last month, on 24 January 2018, the EU Commission thus has published a dedicated website about the GDPR and its implementation, to help companies adapt: http://europa.eu/rapid/press-release_IP-18-386_de.htm.

Among other, the EU Commission aims at providing handy information to SME's. For example, it discusses whether the GDPR would apply to Small and Medium-Sized Entities (SME's). The answer is Yes. The Commission summarizes as follows:

(the above screenshot is taken from the Q+A section on the EU Commission's site)

In the last sentence, the Commission refers to the following: SME's with less than 250 employees do not need to inventory their processes. According to Article 30(5) GDPR an Inventory of Processing Activities is not strictly mandatory for an enterprise or an organization employing fewer than 250 persons (unless some not too precise other criteria around criticality of the processing are met). As such "mapping" exercise may involve quite a lot of work the carve-out is helpful to SME's.

"Helpful in principle", we should add. We take this opportunity to discuss why in practice the well-intended carve-out is not so helpful, in the end. We usually strongly recommend to establish an Inventory of Processing Activities even if the GDPR would not make it mandatory. This is in order to achieve a better degree of compliance with the GDPR and to be able to document accountability, in particular with respect to

  • Adherence to data processing principles (Article 5 GDPR)
  • Rights of data subject (Articles 12 - 23 GDPR)
  • Data breach notification procedures (Article 33 GDPR)

Knowing what processing activities your business engages in, and what type of personal data is involved, is a key prerequisite to ensure Accountability. More precisely, the prerequisite is Control: Accountability requires that the Company can control its business. And you can control only what you understand. Understanding is key. And understanding is hardly ever possible without performing a thorough and systematic analysis of the Status Quo.

Control is a prerequisite for Accountability. You can control only what you understand. So, you won't help coming up with a Record of Processing Activities, anyway – even as a Small or Medium-Sized Enterprise (SME).

The exercise of documenting and maintaining Inventories of Processing Activities (or Records of Processing Activities, in German: Verfahrensverzeichnis) will enable an undertaking to identify gaps and to pinpoint relevant and pragmatic measures to the most critical processing activities.

Therefore, we believe the relief provided for in Article 30(5) GDPR is kind of a distractor: A Record of Processing Activities (including an inventory of applications and what data is being processed in them) is key to understanding the Current State of each company. And this is true regardless the size of a company, and thus for SME's, too.

From a practical perspective, we usually recommend going with an inventory, regardless of the size of a company. It just leads to better compliance down the road. Our infographic about the GDPR iconographical summarizes it like this:

On the basis of the understanding acquired by means of the Repository of Processing Activities the company then can better identify what needs to be done to otherwise comply with the GDPR. First get the facts right, then deploy measures to address the issues.

Before diving into the work, the company should therefore determine the scope of its GDPR implementation plan ("plan" because the exercise should be dealt with as an ongoing and permanent thing, not like "project" -- projects might have a hard stop). This cannot be done without a clear understanding of the objectives: What should be achieved when going through the GDPR implementation plan? One key question is about motivation and expectations:

Expectation Management: We ask our clients to define their expectations (see to the right).

What is the goal? Is the goal of the company's GDPR implementation to get better when managing data, and to even achieve excellence in Information Governance?

Or is it to simply achieve a sufficient level of Compliance? If it is Compliance, then the company aims at only deploying what is strictly necessary to shield against liability and fines.

For sure, Compliance is the baseline and the minimum of what needs to be achieved. But we always highlight that GDPR exercises present an opportunity to the Company: If the work of becoming compliant already consumes some efforts, why not think through whether the work could be used to improve the organization overall? We live in an information society, after all. Perhaps, the GDPR is an opportunity to review the overall data management practices in general, to improve these practices with an objective to gain better control, to reduce costs of data management and to improve the opportunities to exploit the data held by the company.

During the client's journey we identify where Companies can give a scope to their GDPR implementation projects that is most appropriate:

The response to these questions clearly help determining the scope of the GDPR ramp-up project. It can be made very slim, or a bit broader. Interestingly, the volume of work does not necessarily correspond to the value of the project:

  • Limited focus on Compliance: Projects with a limited focus on Compliance seem like having only short-term value, sometimes (except to get away from the angst). The amount of work can be very slim, or very broad.
  • Focus on Information Governance: Smarter approaches push the company to be on top of its data processing practices. Experience shows that the project does not need to be very heavy to deploy first benefits. And more importantly, if the project is looked at as a journey that continues after 25 May 2018, the work to be done can be sliced in pieces that are easy to digest.

For information governance, a good Record of Processing Activities is key. On the basis of a thorough understanding, achieved by establishing a smart Record of Processing Activities, many of the compliance To-do's that are to be implemented look much simpler.

Here is a short summary of the typical To-do's that should be implemented:

Some other measures should be added, such as the establishment of a Data Protection Officer (DPO) or of a Representative of the Company in the EU, the deployment of technical, organizational and contractual measures and the release of policies plus, perhaps, to adhere to established Codes of Conduct.

We have built a three-phased approach to implement these To-Do's:

(Write to info@lauxlawyers.ch to get your free copy of our brochure in which the overall tasks that could be implemented are described in more detail.)

During Phase 1, according to the Plan-Do-Check-Act model we have grouped implementation measures. The same applies with respect to Phase 2 und 3.

Clients who, in Phase 1, took a focus on Information Governance loved it. They usually are excited about learning so clearly what their current data management practices are. On this basis, we could enable them to act quite independently during Phases 2 and 3. This approach helped them get to a sustainable setup and also to save money. Obviously, this might be an objective worth considering for SME's, too (even if, under the GDPR, it is not mandatory for them to have a Record of Processing Activities).

LAUX LAWYERS AG has created methods and tools to enable companies to collect and capture relevant information, based on description of their IT landscape (infrastructure, platforms and applications). From such information we help companies establish a sustainable Repository of Processing Activities.

In the above, we sometimes refer to some iconography we use in our day-to-day advisory on GDPR issues.

With such a point of reference, the Company is enabled to use such documentation as a first reference to turn to for all information a controller needs. A Repository of Processing Activities helps a business to manage its processing activities and compliance To-do's with regard to the GDPR, but also beyond (Information Governance).

We advise on national and international GDPR implementation projects jointly with Sourcing International GmbH, Vienna. Iconography used above have been created in the context of the collaboration between www.lauxlawyers.ch and sourcing-international.org

Experte Dr. Christian Laux auf Cloud-Finder Schweiz
LAUX LAWYERS AG auf Security-Finder Schweiz

Security-Finder Schweiz: Newsletter