In the previous article of this series, Vincent Rejany explained why Personal Data Protection regulation are calling for better governance of data. Let’s talk now about one building block of these regulations for demonstrating accountability: the records of processing activities, and how SAS® Personal Data Compliance Manager allows to perform such recording.
SAS® Personal Data Compliance Manager is a recently released product based on the new SAS® Risk Governance Framework. SAS® Personal Data Compliance Manager is a workflow-driven and regulator-facing solution that automates the management of governance, risk, and compliance data. The product facilitates the entry, collection, transfer, storage, tracking, and reporting of operational losses, gains, and recoveries that are drawn from multiple locations across an organisation.
The goal of SAS® Personal Data Compliance Manager is to provide organisations with customisable templates and workflows to document personal data processes and assess the risk of these processes.Learn how organisations work with customisable templates and workflows to document personal data processes and assess the risk of these processes. #GDPR Click To Tweet
The software has been developed based on GDPR requirements, as well as supervisory authorities’ guidelines such as Working Party 29 (WP29), the CNIL (France), ICO (UK) and CPP (Belgium). SAS® Personal Data Compliance Manager is not specific to GDPR, and intends to address all data protection regulations.
The product is intended to work in conjunction with the SAS® Data Management components and SAS® Visual Analytics. Together they provide a technology platform for participating firms to deal with the EU regulation on personal data protection.
In this first release, SAS® Personal Data Compliance Manager can also be used to perform these tasks:
- document and maintain data processing activities
- define data controllers, processors, and data subject categories
- conduct data protection impact assessment
- describe and maintain data assets and systems
- define controls and security measures
- manage incidents, data breaches, and data subject correspondence
Records of processing Activities
Data processing activity is defined in Article 4 (definitions 2 and 6) of the GDPR. Processing covers a wide range of operations performed on personal data, including both manual and automated processes. It includes the collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, and erasure or destruction of personal data. The records shall be in writing, including in electronic form.
According to Article 30, the documentation of processing activities must include the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer
- the purposes of the processing
- the basis of the processing that could be:
- necessary for the performance of a contract
- a legal obligation
- protection of the vital interests of the data subject
- a task carried out in the public interest or in the exercise of official authority
- legitimate interests pursued by the controller or by a third party
- a result of data subject consent
- a description of the categories of data subjects and of the categories of personal data
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of certain transfers the documentation of suitable safeguards
- where possible, the envisaged time limits for erasure of the different categories of data
- where possible, a general description of the technical and organisational security measures referred to in GDPR Article 32(1)
Recording data processing activities with SAS® Personal Data Compliance Manager
Systems and Data Assets Definition
Within SAS® Personal Data Compliance Manager, the recording of processing activities starts with the definition of systems and data assets. One system is a general identifier for one application, such as ERP, Finance, CRM. One data asset is more precise and allows to differentiate software from file system or databases. One processing activity can cover more than one data asset, and one data asset can of course be linked to more than one processing. The capture below illustrates the creation of one data asset “Finance”.
Processing activities definition
SAS® Personal Data Compliance Manager supports the recording of processing activities through one dedicated web form. By default, the definition of processing activities is workflow driven so each step can be validated by approved users. One processing activity can be linked to one or more data assets.
The different sections have been defined based on the Article 30 of EU GDPR and the recommendations of various European supervisory authorities such as the ICO (UK), CNIL (France) and CPP (Belgium CBPL/CPVP). The capture below shows the first tab of the form with the details about the processing activity.
One of the most important part of the processing activity creation is the specification of the personal data categories involved in the processing as well as the data subject categories concerned. The picture below presents the related section within SAS® Personal Data Compliance Manager Data Process.
Learn more about how organisations have approached compliance efforts, SAS conducted a global survey among 183 cross-industry businesspeople involved with GDPR. Based on the results, this e-book delves into the biggest opportunities and challenges faced.
In my next article, we will look at how to go one step further by assessing and performing Data Protection Impact Assessments.