DASTRA
English
English
  • What is Dastra
  • 🇪🇺USEFUL REMINDERS
    • What is GDPR ?
    • GDPR key concepts
      • Personal data
      • Record of processing activities (ROPA)
      • Privacy impact assessment
      • Data retention period
      • Data Subject Rights (DSR)
      • Privacy by design and by default
      • Security measures
      • Data breach notifications
    • Risk management
      • Definition of risks
      • Risk assessment
      • Vendor risk management
  • 🧑‍🎓GETTING STARTED
    • Setting up
      • Create and set up a workspace
      • Create and set up organizational units
      • Appointing a DPO
      • Add a lead authority
      • Invite users
      • Managing roles and permissions
      • Create and assign teams
      • Frequently asked questions
    • Tutorial
      • Step 1: Setting up
      • Step 2: Map your personal data processing and draw up a register
      • Step 3: Managing risks
      • Step 4: Prioritize actions
      • Step 5: Implement internal processes
      • Step 6: Document compliance
    • Support
      • The dastronaut's assistant
      • Online help
      • Request support
      • The customer support process
  • ⚙️Features
    • Dashboard
    • General
      • Advanced Filters
      • Import your data (Excel, Csv)
      • Tag management
      • Custom fields
      • AI Assistant
      • Email templates
    • Data Mapping
    • Record of processing activities
      • "Data controller" record
      • "Data processor" record
      • Establish your record
      • Export / import the record
      • Use a processing activity template
      • Declare a processing activity
      • Complete a data processing activity
        • General information
        • Stakeholders
        • Purposes
        • Dataset
        • Assets
        • Data subjects
        • Data subjects rights (DSR)
        • Recipients
          • Data transfers outside the EU
        • Security measures
        • Impact analysis
        • Documentation
      • Create relationships between processing activities
      • Processing freshness
      • Share the record of processing
      • Data visualization
        • View the treatment tree
        • View the record data map
        • View the transfers map
      • Frequently asked questions
    • Audits and DPIA
      • Create or modify an audit template or DPIA
      • Scheduling an audit or a PIA
      • Share an audit report or PIA
      • FAQ
    • Privacy hubs
      • Create a Privacy hub
      • Configure your Privacy hub
        • Homepage and general configuration
        • Questionnaires
        • Data subject requests
        • Record of processing activities
        • Attachments
        • Organizational chart
        • Contacts
        • Security
        • Appearance and design
      • Preview and share your privacy hub
      • Collecting data processing projects from a Privacy hub.
    • Contracts
      • Declare a Contract
      • Structure of a contract
      • Documents
      • Assets
      • Signers
      • Linked users
      • Sign the contract
      • Docusign integration
      • Contract versions
      • Contract templates
    • Risk management
      • Glossary of terms
      • Risk management process
        • 1. Identification
        • 2. Assess
        • 3. Monitor
        • 4. Control
        • Let's recap
      • Dastra / eBios RM comparison
      • Attach a risk to a processing activity
      • FAQ
    • Planning
      • Create your action plan
      • Create or modify a project or an iteration
      • Monitor, screen or export your tasks
      • Customise the task workflow
      • Share as calendar
      • Customise the task workflow
      • Go further with planning
      • FAQ
    • Data subject right request
      • Manage data subject right requests
      • Set up a data subject right request widget
      • Technical integration
      • API integration
    • Manage data breach notifications
      • Report a data breach
      • Export your data breach notifications
    • Manage cookies consent
      • Widget configuration
        • Preliminary study
        • Cookies scanning
        • Classify cookies by consent categories
        • The purposes of cookies
        • Implement a cookie consent widget
        • Collect proof of cookie consent
        • Go further on cookie consent
        • In case of unavailability
      • Technical integration
        • Functioning of the widget
        • Quick start
          • Wordpress
        • Language management
        • Test the integration of a widget
        • Blocking cookies
          • Blocking iframes (twitter/youtube...)
          • Google Tag Manager
        • Advanced Design
        • Manage consent programmatically
        • User identification
        • Mobile applications
          • Hybrid applications
          • Native applications
        • TCF 1.1/2.0
      • RGAA compliance
      • Breakdown service
    • Regular review (freshness)
    • Custom Reporting
      • Integration with data analysis tools (BI)
    • AI Systems
      • Establishing a record of AI systems
      • Risk analysis and business value
      • Transparency notice
      • AI Models repository
    • Advanced configuration
      • SCIM
      • Roles and permissions
      • Single Sign On (SSO)
        • SAML 2
        • OpenId
        • ADFS
        • Active Directory
        • Okta
        • Known problems
      • References
      • API key management
      • Notifications
      • Workflow steps / process flow
      • Incoming mail data collection
      • OneDrive/Google Drive integrations
      • Webhooks
      • SMTP configuration
      • Workflow rules
      • Message templates
      • Email domains
  • PARTNERS
    • Portal
  • 📄API documentation
    • Configuration
    • Authentication
    • API References
    • Integrations
      • Frequently asked questions
  • 🛡️Security
    • Security at Dastra
    • Security roadmap
    • Quality of Service
  • Certifications
  • 🤖Other
    • FAQ
    • Known problems
    • Changelog
  • Referentials
    • CNIL referentials
      • HR referential from CNIL
Powered by GitBook
On this page
  • Introduction
  • The Dastra record in a few words
  • Record "Data controller" versus "Subcontractor"
  • The different methodologies for setting up the record of processing activities
  • Which record methodology to choose?
  • How to set up your treatment record?
  • For more information

Was this helpful?

  1. Features

Record of processing activities

Learn how to edit the record of processing.

Last updated 1 year ago

Was this helpful?

Introduction

The record of processing activities allows you to map your data processing and to have an overview of what you do with the personal data concerned. Having a completed register is a requirement of Article 30 of the GDPR, but beyond the binding aspect, it is above all a tool to better understand your data and control the associated value chain - from their production to the use that is made of them.

At Dastra, we believe that our role is to make it easier for you to map your treatments, so that you can focus on your business. To do this, we support you with an intelligent registry and questionnaires that guide you step-by-step through the creation of your registry.

The Dastra record in a few words

Dastra's record of processing activities log functionality meets all regulatory requirements. The records, both Processor and Subcontractor, are based on repositories (actors, assets, datasets, data, risks and security measures) allowing you to map your processing activities and save time in the daily management.

Treatments can be duplicated and treatment models are available in a library freely accessible to all our users. A workflow is integrated, a search function is natively present and it's possible to import / export treatment sheets in different formats (pdf, word, html, excel, csv, json). It's possible to attach attachments, violations or risks to these treatments.

Record "Data controller" versus "Subcontractor"

Article 30 of the GDPR sets out specific obligations for the controller's record and the processor's record. If your organization acts as both a processor and a controller, your record must therefore clearly distinguish the two categories of activities.

In practice, in this case, the French CNIL recommends that you keep 2 records:

  1. one for the processing of personal data for which you yourself are responsible,

  2. another for the processing operations that you carry out, as a subcontractor, on behalf of your clients.

The different methodologies for setting up the record of processing activities

There are two methodologies for creating a treatment record:

  • Top-Down design: we start the project by establishing the inventory of data processing, and then we collect the information specific to each processing (data, subcontractors...etc...).

  • Bottom-Up design: we start by making an inventory of the data (software, data sets and personal data fields) and we create the treatments from it.

Which record methodology to choose?

There is no right or wrong method, everything will depend on the context of your organization, the skills of the DPO team, the accessibility of the operational data...

Here is a table comparing the two approaches:

/tableau

Methodology
Target
Benefits
Disadvantages

Top-Down (descending)

Small organizations or communities Company with a weak data culture Legal team with little affinity for IT

Quick to set up Less work Corresponds well to the legal expectations of the GDPR

May cause difficulties if the registry implementation team is not familiar with the organization's data More burdensome for operational staff The data inventory will be much less valuable because it is modeled for legal purposes only More complex to maintain over the long term

Bottom-Up (ascending)

Large or medium-sized organizations With a strong data culture Legal team with a strong IT affinity

Taking an inventory of data will be less abstract than creating processes directly. The record reflects the reality of the organization Maintaining the record will be easier in the long run More members of the organization are involved Creation of treatment records is more automated

Overall more difficult and time consuming to implement Project requires good governance

How to set up your treatment record?

If you want to learn how to design and manage your data processing record, start here:

If you want to learn how to design and manage your record of data processing, start here:

If you want to understand the different stages of the questionnaire, click here:

If you want to learn how to share the record of processing, click here:

For more information

The good news is that Dastra handles both approaches perfectly! You can either create a form automatically . If you prefer the automatic approach, it's possible to create your own data map and create a treatment directly from an asset (software, database).

⚙️
"Data controller" record
"Data processor" record
by taking a treatment template
Establish your record
Declare a processing activity
Complete a data processing activity
Share the record of processing
Record of processing activities (ROPA)
Attach a risk to a processing activity
Planning