What is it and how to develop a Record of Processing Activities, risk analysis and impact assessment?

🕑 4 minutes read

Records of Processing Activities, risk analysis and GDPR impact assessment

The entry into force of both the General Data Protection Regulation (GDPR), as well as the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD in Spain), brought with it significant changes in the management of the protection of personal data in companies.

There are numerous topics to consider when it comes to major data protection changes. However, and in a concrete way, this article aims to give a number of keys in terms of managing the Register of Treatment Activities (RAT), as well as the análisis de riesgo and impact assessment (IAP) of the different processing of personal data responsibility of a legal person.

Definition and Records of Processing Activities (RPA)

To start defining what a personal data protection management system would be in the company, you must set up the Records of Processing Activities.

Although this requirement is not mandatory for all companies, from GlobalSuite Solutions it is always recommended to complete this registration since it will allow us to know the life cycle of the processing of personal data carried out by the organization. This will also facilitate a more efficient and appropriate management in terms of the protection of personal data of data subjects.

This lifecycle will include aspects such as the origin of the data, the purpose for which it is collected, where it is stored, which third parties access the information and finally how the information is destroyed.

For each activity carried out, a treatment must be set up. These activities typically include customer management, supplier management, human resources management or facility video surveillance, to name a few examples.

Each record of processing activities identified shall contain the information required by Article 30 of the GDPR, which must include, inter alia, the following issues:

  • Purposes of data processing
  • Description of the categories of data subjects and the categories of personal data being processed.
  • Existence of international transfers.
  • Expected conservation periods.

Performing the Risk Analysis

Once the processing of personal data carried out by the company has been identified, a risk analysis of each of the processing must be carried out.

This risk analysis will allow us to decide whether to perform an impact assessment, in a subsequent process, of each treatment. The risk analysis should take into account, inter-view, aspects such as:

  • The purpose carried out, taking into account in particular activities such as profiling or systematic monitoring of stakeholders.
  • The type of personal data that is processed, with a special criticality the processing of specially protected data, genetic data or biometric data.
  • The amount of data processed
  • The existence of international data transfers

For the conduct of this risk analysis it is useful to rely on the assumptions defined by Article 35.3 of the GDPR, on the list of treatments requiring an impact assessment issued by the AEPD (Spanish Data Protection Agency), as well as on the assumptions in Article 28.2. LOPDGDD (Spain)

Impact assessment

Subsequently, an impact assessment of those treatments that require it should be carried out on the basis of the risk analysis carried out. This process consists of the assessment of a series of previously defined threats, considering two aspects: the probability of occurrence of the threat and the impact that such a threat would have in the event of a occur. The combination of these two issues will give us a level of risk based on the defined methodology and will be valued, among others, threats such as:

  • Unauthorized access to data
  • Theft or loss of media
  • Lack of legitimizing basis for treatment.
  • Make it difficult or not to process exercises of the rights of the interested parties.

If the resulting risk is higher than the defined acceptable risk level, we must proceed with the management of that risk, through the implementation of a risk reduction plan, which aims to mitigate the risk of the threat that requires it.

The adaptation of a company to the current regulations on data protection will require, in addition to the aspects indicated in this article, a series of actions that ensure that proper legal compliance is carried out in any case.

From GlobalSuite Solutions we offer you a consulting service that aims to help you ensure compliance with legal requirements in data protection,as well as the management of the system centrally through a tool such as GlobalSuite®