Since the General Data Protection Regulation came into force in 2018 by the EU, businesses and organisations have the duty to summarize all the personal data they collect in a record of processing activities. Indeed, this obligation is one of the 9 steps to compliance with the GDPR, which are:
- Identify all the activities involving personal data in your company.
- Create the record of processing activities.
- Sort out your data.
- Make it easy for users to exercise their rights.
- Inform users you are collecting data.
- Secure your data.
- Appoint a Data Protection Officer.
- Be prepared for an incident (data breach).
- Have control on third-party services that handle personal data on your behalf.
Personal data and European users rights
Any information relating to an identified or identifiable natural person is personal data. It can be a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural individual. The recording of a person, images and videos can also be personal data if the individual is identifiable.
Generally, processing personal data involves any operation performed on the information we handle, such as collecting, printing, coordinating, storing or registering. Europeans users have rights over their data that are collected. It can be the right of access, rectification, opposition, information, erasure, portability and restriction of processing.
Personal data controller and personal data processor
All actors involved in the processing of personal data of European residents have a responsibility, whether or not they are established in the European Union.
Two roles can be distinguished:
The personal data controller
A data controller is a natural or legal person, public authority, agency or other body, which determines the purposes and means of the processing of personal data: meaning the objective and the way it is carried out. As a business or organisation, you are ultimately accountable for your own compliance and the compliance of your processors.
The personal data processor
You are a processor if your company process personal data on behalf of and under the authority of a controller. Processors, like controllers, must comply with the GDPR. Like the controller, you can be held liable for non-compliance.
For more information, we advise you to follow this “Step-by-step GDPR compliance guide” to ensure you comply with the law.