Under GDPR , almost every organization that processes personal data in a structural way is required to keep privacy records. No distinction is made here between different sectors. Of course, each sector does have its own challenges. In this E-guide, we discuss some challenges and give you tips for solving them with the help of Privacy Nexus .
How do you extract all relevant information from your organization?
Because many complex and very specific activities take place within an organization, it is quite a challenge for the Privacy Officer to retrieve all relevant information and record it in a processing register. For example, how do you find out which personal data are all being used and to which agencies they are being forwarded?
Privacy Nexus makes it easy to distribute work within the organization. You can assign responsibilities to colleagues. And colleagues can find them
on their personal homepage. By assigning access levels, you can ensure that colleagues see only the parts of the software that are relevant to them. This way they see what they need and don't get lost in the information. The Privacy Officer keeps track of the status of progress and gains insight into risks.
How do you make sure you get all the information back in the right format?
When you have to collect information from many different people you will often get a wide variety of responses. Even when you draw up a standard questionnaire, one person will answer these questions in great detail where another will get no further than "we process personal data.
By using Privacy Nexus you can not only automate the questionnaire but also ensure that everyone provides the same type of input. Privacy Nexus uses closed questions as much as possible. This makes it a lot easier to provide the right information and reduces the chance of providing irrelevant information. For example, for the question
"What personal data do you process?" make a selection from a list of pre-defined personal data. This prevents general meaningless answers like 'personal data' and also allows you to filter your processing by a specific type of personal data (e.g. 'date of birth').
How do you know whether or not to conduct a DPIA?
With all that personal data, there may be processing operations that pose such a risk to data subjects that a DPIA must be conducted. Conducting a DPIA is often seen as a cumbersome undertaking that takes a lot of time.
Privacy Nexus helps you do this by assessing for each processing operation whether a DPIA is recommended. So the person answering the questions does not have to make this assessment himself. It is then clear at a glance for which processing operations a DPIA is recommended. When a DPIA is recommended, you can carry it out with the DPIA module, in which we again use closed questions as much as possible. The latter ensures that the person who filled out the questionnaire for the associated processing can also help collect some of the information to conduct the DPIA. By then linking the DPIA to the relevant processing from the processing register, you easily demonstrate that you have met the DPIA obligation for all high-risk processing.
How do you ensure that even in decentralized organization you can still collect information centrally?
Within an organization, there is often a complex organizational structure in which many things are decentralized and take place. On the one hand, very specific processing activities can take place within a certain department or location, and on the other hand, a large number of processing activities take place in all of them. In addition, much of the same systems (software) will be used to process the data.
You want to prevent multiple people from spending time collecting and entering the same information, so that, for example, the processing "manage customer file" is entered separately by multiple departments.
Privacy Nexus makes it very easy to capture all information centrally and still maintain an overview by department. You do this by defining your organization's organizational structure in Privacy Nexus . You then link the various components of your privacy administration, such as processing operations, DPIAs and data breaches, to the various components of the corporate structure. This way you still create a clear overview per department that you can easily filter by.
