GDPR Data Register: What you need to know
Our webinar, titled ‘GDPR: Completing the Data Register’, and hosted by Gert Beeckmans, Chief Risk & Security Officer at SD Worx, and Laurent De Surgeloose, Lead Lawyer at global law firm DLA Piper, explored the importance of data registers and what HR and payroll professionals need to know.
The data register, also referred to as a Data Inventory, Personal Data Mapping, Processing Register, Software Register, and Data Index, must be maintained by the company’s data processor and controller. Despite a new GDPR-compliant register initially seeming confusing, there are a number of ways to ensure that it is set up—and maintained—easily.
What should be logged in a data register?
Essentially, the new register needs to detail the purposes of why a company is processing data. It should include the categories of the data subjects and personal data, as well as the categories of recipients (where applicable), and the technical times and descriptions of the organisational processes.
The recipients of this data, outside of data regulation authorities, are defined as natural or legal persons to whom personal data is disclosed, whether third party or otherwise. The only exception to this rule is public authorities who receive personal data in compliance with EU or member state law, who should not be considered as recipients. With these fundamental rules in mind, your register can be built.
How easy is it to establish a register?
There is no set model that the register must be based on, leaving companies to choose whichever format they prefer, with the register either being recorded digitally or on paper. GDPR also does not require the data to be recorded in any particular language. Local data regulation authorities may have a preference on the language, but this will not be enforced by incoming GDPR legislations. Companies can also adapt current registers on pre-existing data indexes, or software register assets, to build the data register.
How to maintain a data register
By using current software that is useful and practical to the company, the process will be simplified. People outside of the organisation should be able to easily navigate the register, so data owners should ensure it remains clear to all parties.
HR and payroll teams should update this data frequently, with yearly reviews and validations. By adding in as much information as possible, including the information owner, the physical location of files/data, and information on IT applications. By doing this, if data authorities ask to see the register, organisations will be able to demonstrate in detail how all the data is managed and processed.
By including both legal obligations and additional organisational information in the register, the company’s processing not only ensures that the data register is GDPR-compliant, but also that it provides a map of the data. It equally ensures that it is easy to maintain in the long-term, as both management and recipients are clear as to what it is used for and why data is being recorded.