Record of processing activities

Introduction

The record of processing activities allows you to map your data processing and to have an overview of what you do with the personal data concerned. Having a completed register is a requirement of Article 30 of the GDPR, but beyond the binding aspect, it is above all a tool to better understand your data and control the associated value chain - from their production to the use that is made of them.

At Dastra, we believe that our role is to make it easier for you to map your treatments, so that you can focus on your business. To do this, we support you with an intelligent registry and questionnaires that guide you step-by-step through the creation of your registry.

The Dastra record in a few words

Dastra's record of processing activities log functionality meets all regulatory requirements. The records, both Processor and Subcontractor, are based on repositories (actors, assets, datasets, data, risks and security measures) allowing you to map your processing activities and save time in the daily management.

Treatments can be duplicated and treatment models are available in a library freely accessible to all our users. A workflow is integrated, a search function is natively present and it's possible to import / export treatment sheets in different formats (pdf, word, html, excel, csv, json). It's possible to attach attachments, violations or risks to these treatments.

Record "Data controller" versus "Subcontractor"

Article 30 of the GDPR sets out specific obligations for the controller's record and the processor's record. If your organization acts as both a processor and a controller, your record must therefore clearly distinguish the two categories of activities.

In practice, in this case, the French CNIL recommends that you keep 2 records:

1. one for the processing of personal data for which you yourself are responsible,

2. another for the processing operations that you carry out, as a subcontractor, on behalf of your clients.

The different methodologies for setting up the record of processing activities

There are two methodologies for creating a treatment record:

• Top-Down design: we start the project by establishing the inventory of data processing, and then we collect the information specific to each processing (data, subcontractors...etc...).

• Bottom-Up design: we start by making an inventory of the data (software, data sets and personal data fields) and we create the treatments from it.

Which record methodology to choose?

There is no right or wrong method, everything will depend on the context of your organization, the skills of the DPO team, the accessibility of the operational data...

Here is a table comparing the two approaches:

/tableau

The good news is that Dastra handles both approaches perfectly! You can either create a form automatically by taking a treatment template. If you prefer the automatic approach, it's possible to create your own data map and create a treatment directly from an asset (software, database).

How to set up your treatment record?

If you want to learn how to design and manage your data processing record, start here:

If you want to learn how to design and manage your record of data processing, start here:

If you want to understand the different stages of the questionnaire, click here:

If you want to learn how to share the record of processing, click here:

For more information