Personal Data Inventory and Effects on the Privacy Process

Relations between Data Governance, Data privacy impact assessment, data transfer assessment and, security measures

In my previous article, we focused on the definition and example of DPIA. In this article, I would like to talk about the personal data inventory relations between Data Governance, Data Privacy Impact Assessment, Data Transfer Assessment and, Security Measures. Undoubtedly, all of these processes can be established when there is successful data governance.

---

A Glance At Content

• Data Governance

• Data Inventory

• Personal Data Inventory

• What is Art. 30 GDPR Records of processing activities ?

• Who is concerned by the records of personal data processing obligation?

• What form must take the record?

• What should you do if you plan to transfer data to a country ?

---

Data Governance

Data governance is management’s visibility and control over the use of information in an organization. Data governance takes on new meaning and relevance for organizations seeking to comply with recent privacy laws.

The governance structure concerning the use of personal information will include policies, defined roles and responsibilities, controls, processes, procedures, assessments of these, and reporting.

Data Inventory

If you want to manage data privacy, your first step should make data inventory. Privacy programs require an effective data governance program.

You should identify means for knowing about all structured and unstructured data, particularly when it contains personal. For a privacy program to be effective, organizations must have a complete and accurate inventory of all personal information.

A data inventory, or data map, is a complete record of all the personal information your organization stores, uses and processes.

---

A data inventory can be used:

• As a precursor to regulatory compliance and risk analysis for example DPIA and Data Transfer Impact Analysis.

• To assess data, systems and processes

• And to inform data assessments, priorities, data lifecycle management and data classification.

Some of this information is highly sensitive because it contains personal information, intellectual property, and internal financial information; some information is important but not sensitive at all, and some is not very important. Classification provides the definition of security measures and controls in your organization.

---

Personal Data Inventory

If your data inventory includes personal data, you need expanded information on which activities are processing personal data and their legal basis according to Article 30 GDPR record of processing activities.

You can find a general description of the technical and organisational security measures referred to in Article 32(1).

You can see the required minimum fields in the table below.

What is Art. 30 GDPR Records of processing activities ?

The record of processing activities allows you to make an inventory of the data processing and to have an overview of what you are doing with the concerning personal data.

Aside from being an obligation settled up by article 30 of the GDPR, the record is an internal control tool and, as mentioned above, a way to demonstrate your compliance with GDPR. It’s a best practice to document your data processing and reviewing legal obligations and technical requirements for security.

The record is a document with inventory and analysis purposes, which must reflect the reality of your personal data processing and allow you to precisely identify, among others.

Who is concerned by the records of personal data processing obligation?

The duty to maintain a record of processing concerns, in principle, all entities, both private and public, regardless of their size, provided they process personal data.

What form must take the record?

The GDPR only requires a written form for the record. The record format can be chosen freely, and it can be created on paper or numerically. You can find record template here as advise by CNIL.

This record is an internal document for organizations. You don’t publish in the public area. You don’t send CNIL or other authorities normally. Authorities may need this record for investigations.

Measures for entities with less than 250 employees

Companies with less than 250 employees are not obliged to keep a record. However, they must keep records from the moment that:

• The data processing is non-occasional (example: salary management, customer management/prospect and supplier, etc.);

• The data processing is likely to involve a risk for people’s rights and freedom (example: geolocation systems, video surveillance, etc.);

• The data processing concerns sensitive data (example: health data, breach, etc.).

In practice, this exemption is limited to certain data processing, which are rarely and unconventionally implemented. This can be the case, for instance, of an advertising campaign promoting the opening of a new branch of a company, under the condition that the processing does not present any risk for data subjects.

If you are not sure if this exemption applies to you data processing, authorities advice you to include it in your records. 

What are the technical and organisational obligation under Art 31(1) GDPR ?

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

   1. the pseudonymisation and encryption of personal data;

   2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

   3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

   4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

What should you do if you plan to transfer data to a country ?

If you will transfer data to a country, you should learn that country has data protection legislation and Data Protection Authority.

• You can learn on CNIL web site about country in which you transfer your data, you can learn under what conditions you can transfer your personal data and whether has a Data Protection Authority at there. You can access here

• You can make a data transfer impact assessment like in this example template, here.

• You can find data transfer to third country obligations under GDPR, here

---

Thank you for reading my 6th article. I know there is a lot to research and learn :) We still have a long way to go.

I will be glad to help and support you with my article.

Please feel free to ask me questions about GDPR or privacy governance or security governance.

If you think there is wrong information in my post, please let me know. The best thing about learning together is learning from our mistakes.

---

Resources

• https://www.cnil.fr/en/record-processing-activities

• https://gdpr-info.eu/art-30-gdpr/

• https://iapp.org/media/resource_center/eu_scc_transfer_impact_assessment.x

Authorities

• Data Protection Authority UK ► International transfers (Link)

• Data Protection Authority Ireland ► Cross-border processing and the one stop shop (Link)

• Data Protection Authority Isle of Man ► Transfers to third countries (Link)

• Article 29 Data Protection Working Party ► WP244 – Guidelines on the Lead Supervisory Authority (Link)

• Article 29 Data Protection Working Party ► WP245 – EU-US Privacy Shield F.A.Q. for European Businesses (Link)

• European Commission ► Data transfers outside the EU (Link)

• European Commission ► Withdrawal of the United Kingdom from the Union and EU – Rules in the field of data protection (Link)

• EU publications ► Handbook on European data protection law – Personal data transfers to third countries/non-parties or to international organisations, page 253 (Link)

• European Data Protection Board ► FAQs on the judgment of the CJEU in Case C-311/18 (Link)