RESPONSUM provides you with a Record of Processing activities (also referred to as “Register”) to keep track of your organization’s processes in regards to Privacy compliance.
See it in action
Pre-requisites to get started
- Permissions on the Register sub-module or specific items within the register as Collaborator, Editor or accountable.
Fast-track to Brilliance
- Select the “Privacy” menu in the main menu bar
- Select “Register”
- Press create in the top right corner
Step-by-step guidance
About section
- Select the “owner” of the processing activity by first setting if it is an internal or external owner
- When “Internal owner?” is set to “Yes”, you will be able to select a User
- When “Internal owner?” is set to “No”, you will be able to type the name of the owner
- You can select organizational units that are involved in the processing activity
- NOTE: These set organizational units can be used for setting access for users. Organizational units can be set on the user to only show items that have the same organizational units set.
- Tags can be set on the processing activity to easily identify it and search for the activity
General information
- Create a name for the processing activity by filling out the ‘Name’ field.
- Enter a description into the ‘Description’ field.
- You can add the processing activity to a ‘Category’ by selecting or adding a new Category in the ‘category’ field.
- Select the legal basis for your processing activity. Suggestions can be created based on the selected legal basis
- Additional legal basis details can be set
- A legal template type and Legal template from the “Legal templates” sub-module can be set
Context and Scope
- Describe the purpose of processing in the ‘Purpose’ field.
- Select one or more Employee functions that are relevant to the processing activity.
- Select Other involved users from the user list or enter names/roles into the ‘other involved people’ field.
- Create a review interval by entering a review interval number and selecting a review interval period (day/week/month/ day(s)/week(s)/month(s)).
- Select the role your organization takes in this processing activity: Controller or Processor.
- Select ‘yes’, if there are any joint-controllers used. Select the joint-controller from the ‘Add joint-controllers’ list.
- If the Start date of the processing activity is known, select ‘yes’.
- Select the start date.
- If the end date of the processing activity is known, select ‘yes’.
- Select the end date.
Data protection principle check
- LAWFULNESS, FAIRNESS & TRANSPARENCY
- Are you processing personal data in a lawful and fair way? Are you transparent in your communication about processing personal data in an easy-to-understand and clear and plain language? If so, select yes. Add a justification if necessary
- Link relevant policies/procedures provided to the data subjects for this processing activity. (expert question)
- Is there a legal basis defined? This question is filled in automatically if you already determined this in the tab “General details”. Add a justification if necessary. (expert question)
- PURPOSE LIMITATION
- Are you collecting personal data for a specific, explicit, and legitimate purpose that is limited to this processing activity? If so, select yes. Add a justification if necessary.
- SMART principle: select the applicable items and give a justification if necessary. (expert question)
- DATA MINIMISATION
- Is the collection of personal data adequate, relevant, and limited to what is necessary in relation to the purposes? Are you not able to fulfill the purpose by other means? If so, select yes. Add a justification if necessary.
- ACCURACY
- Is the collected data accurate and up-to-date? If so, select yes. Add a justification if necessary.
- Is the data regularly checked for updates? If so, select yes. Add a justification if necessary. (expert question)
- Is the data quality controlled and managed throughout the flow of the data between various processing systems (IM systems)? If so, select yes. Add a justification if necessary. (expert question)
- STORAGE LIMITATION
- Are time limits established for the erasure of data or for a periodic review in order to ensure that the personal data are not kept longer than necessary? If so, select yes. Add a justification if necessary.
- INTEGRITY & CONFIDENTIALITY
- Is the personal data being processed in a manner that ensures appropriate security and confidentiality of the personal data? If so, select yes. Add a justification if necessary.
Processed data lifecycle
The processed data lifecycle is a combined record to specify from what data subject, what data is processed, on what systems, how long it is retained and if they are disclosed and where.
Personal data
Allows you to select one or more Data Objects and/or attributes being processed along with the data subject type (one or more) this data is being processed from.
Information management systems
Allows you to indicate one or more IM systems known within RESPONSUM. You can easily add a new IM system right from this section.
Retention period
Allows you to state the retention period for the personal data defined in the earlier section. An integration with FilersKeepers can be activated here to help you define the retention period.
Disclosure
Allows you to indicate where the earlier stated personal data might be disclosed to internally (Organizational units) or externally (Vendors).
Pre-DPIA
The Pre-DPIA will give you 9 Yes/no questions that will give you an indication if a DPIA is required for this processing activity.
You will be able to create a DPIA directly from the processing activity.