Treatment register, what is the procedure for writing it?

The time for prior declarations to the CNIL is over, it is time for accountability! Indeed, since the entry into force, on May 25, 2018, of the General Data Protection Regulation, known as RGPD, data controllers and their data subcontractors must document their compliance, this is the principle of Accountability. Among the documentation obligations, maintaining the register of processing activities is a perfect illustration of this accountability requirement (Article 30 of the GDPR).

When drafting the register, Data Protection Officers, or GDPR compliance officers, frequently encounter the following problems:

• What approach should be adopted for efficient drafting of the register?
• Who are the actors who will have to support me in writing the register?
• What are the principles to follow for a register that complies with regulatory requirements?

In order to respond to all these problems, in this article, I am offering you a methodology for successfully writing the register of your body's treatment activities.

The objectives of the treatment register

The purpose of the register of processing activities or more commonly, the processing register, is to identify the processing of personal data carried out by a data controller or by a data subcontractor.

By documenting all data processing, the register is presented as a real tool for managing and controlling compliance.

In practice, the register consists of treatment sheets. A sheet must be prepared for each treatment activity. Taken at face value, the register will consist of as many forms as the processing of personal data within an organization, which will pose problems of maintainability and maintenance of the register.

The objective is to group treatments (all having their own purpose) around a single and coherent purpose, the main purpose. Then, if necessary, this main purpose can be detailed into sub-purposes.

Thus, a treatment sheet will be established for each main purpose identified. (Do not hesitate to watch my video on the subject)

Is the treatment register mandatory for all?

It is mandatory to keep a treatment register when your organization employs more than 250 employees.

So an organization with less than 250 employees is exempt from registration? Not completely, this derogation is lifted in the following cases:

When the processing of personal data is not occasional and regardless of the number of employees;

• When the processing involves so-called “sensitive” data;
• When processing is likely to involve a risk of violation of the individual rights and freedoms of the persons concerned by the treatment;
• When treatment relates to criminal convictions and offenses.

Attention, the obligation to keep a register of treatments concerns both data controllers and personal data processors.

What information should I enter in the treatment register?

For data controllers, Article 30, 1 of the GDPR states that the register of processing activities must include the following information:

• The name and contact details of the data controller and, where applicable, of the joint data controller, the data controller's representative and the data protection officer;
• The purposes of the treatment;
• A description of the categories of data subjects and the categories of personal data;
• The categories of recipients to whom the personal data have been or will be communicated, including recipients in third countries or international organizations;
• Where applicable, transfers of personal data to a third country or to an international organization, including the identification of that third country or international organization and documents attesting to the existence of appropriate guarantees;
• As far as possible, the deadlines provided for the deletion of the various categories of data;
• As far as possible, a general description of the technical and organizational security measures implemented.

But nothing prevents enriching the register with additional information. On the contrary, it will make it possible to make the register a more global tool for managing compliance.

The obligation to keep a register of treatments also concerns data processors. The information required is listed in article 30. 2 of the GDPR.

The actors involved in creating the treatment register

The Data Protection Officer (DPD/DPO)

Even if the texts do not expressly provide for it, as the “conductor” of data protection compliance, the DPO will naturally be the person in charge of writing and maintaining the register within the organization.

Careers or IT Referents and Freedom (RIL)

For the DPO, the drafting of the register requires the support of a referent for each business area.

In the absence of an IT and freedom coordinator appointed in each business field, one person must be designated in each department or department. They are interlocutors at the operational level who have the necessary knowledge to identify data processing activities.

The Information System Security Manager (RSSI)

The CISO is obviously one of the professions described above, but his involvement will not end with the writing of treatment sheets for his business field.

By having the operational burden of applying logical and physical security rules to the entire information system, the CISO is the expert who has the knowledge of applied security measures.

Indeed, a general description of the technical and organizational security measures implemented in the treatments is required by the register. This safety knowledge is often poorly mastered by the professions themselves.

Thus, prior to the register drafting phase, the assistance of the CISO will be required. This will make it possible to establish an application map and security measures.

The DPO will obtain an overall view of the security measures present in the information system security policy (PSSI) as well as the measures applied to the applications/software used by the businesses.

What is the procedure for writing the treatment register?

Identification of the interlocutors

An interlocutor must be designated in each business area.

This interlocutor must have a good knowledge of his business scope. Thus, profiles with experience within the organization are preferred.

These interlocutors must then be made aware of the regulations and will then support the DPO in writing the register.

Awareness raising

Following the appointment of business contacts, a difficulty lies: the businesses do not speak the language “data protection”.

Thus, before involving professionals in writing the register, raising awareness of the principles and concepts of regulations is essential.

Also, this awareness-raising stage will allow professions to become aware of what is expected when writing the register.

Application mapping

This step is carried out by the DPO and the RSSI.

The objective of this stage is to carry out an application mapping in order to collect all the technical and organizational security measures present in the applications/software used by the businesses.

In addition to this map, there are added the security measures present in the various security policies of the organization (e.g.: Information System Security Policy; Personal Data Confidentiality Policy, etc.).

This map will provide a better vision of security measures to the DPO and the professions. This will then make it easier to fill in the treatment sheets during the writing stage.

Drafting the treatment register

Preliminary work

By providing a processing form template, this step will allow businesses to prepare for the expectations of the register and to gather the information necessary to write treatment forms during the workshop with the DPO.

Trades will be able to begin to fill in their treatment forms as best as possible, thus simplifying the next step.

The objective of this stage is not to have trades fill out the register forms. Having treatment sheets written by professionals only is not a recommended practice. For a coherent and flawless register, the drafting of treatment forms requires the collaboration of the DPO and the professions.

DPO and Trades Workshop

A “Register” workshop is organized for each profession. During these workshops, the DPO and the business interlocutor/referent determine the processing sheets that must be drawn up.

Thus, during the workshops, the DPO and the interlocutors will fill in all the information required by article 30 of the RGPD.

The drafting of the register will be an opportunity for the DPO to inform and advise the professions and to check the compliance of the various treatments with regulatory requirements:

• Subject processing to the principle of minimization (Article 5.1.c of the RGPD) “Is this data necessary for the processing? ”;
• Subject processing to the principle of a limited storage period (Article 5.1.e of the RGPD) “Has a retention period been set? Is a data purge planned? ”

Faced with the regulatory breaches identified during the workshops, this drafting stage will be an opportunity for the DPO to enrich its compliance action plan.

The principles surrounding the writing of the treatment register

A written record

This register must be made in writing (paper or electronic format)

A clear and precise register

The register must be clear and precise for the supervisory authority (CNIL)

An up-to-date register

The information entered in the register must be accurate and reflect the treatments performed.
In addition, the register is a living tool that must be constantly updated, it must be up to date with functional and technical developments relating to data processing.
In addition, a periodic review of the register with the trades must be put in place. A comprehensive review of the registry every year is a good practice.

By applying this proposed approach, you now have the keys to best manage the drafting of your organization's treatment register.

‍