I’m a DPO at a large FE college and I am struggling to make sure our data mapping document is updated. It was created by a previous staff members at the time of GDPR introduction but has subsequently not been updated by all areas.
Would anyone be willing to share how they make sure this document is updated/checked? and/or willing to share their document as I wonder if ours is too complex to maintain!
There isn’t a simple answer to this, but my key takeaway from the last 3 years is that you can’t expect other stakeholders (outside of IT) to do this unless it has been wrapped into their job description.
A tool such as DP Organizer (other systems are available!) can make this much easier though. It will enable you to send out a review document. Mine are normally accompanied by a message along the lines of ‘can you just check this and note if anything has change, and if you are doing new things which include data processing could you give me a quick outline of what they are’. This will often show up new processing activity.
The frequency of these review requests is based on the stakeholder department, i.e. finance once a year, marketing once a quarter (or more frequently).
I would firstly suggest that your Records of Processing Activity (RoPA) be maintained as often as it changes. So as and when the college takes on a new system, or starts a new processing activity, go in there and review it.
I’m DPO for a large organisation and I couldn’t operate our RoPA in a spreadsheet, so we are fortunate enough to have resources enough to use a SaaS platform to collect, process, risk assess and validate our RoPA.
However, if you don’t have that luxury, I would review the RoPA and start getting the departments or process owners to talk you through the processing activities so that you can go back and update the RoPA. It should be a living breathing record, continually updated to reflect what happens in the business.
If you want to sense-check your RoPA, the ICO have example templates that might give a clue about level of detail.
Very little to add from what Dean has said.
I would make sure everyone knows their responsibility to add to the RoPA as and when required.
Henk van Leussen
If your RoPA has not been tracked for three years, I would recommend starting the inventory again. You can then choose to re-enter everything from scratch, but comparing and updating is of course also an option.
It is of course important to register all changes and new processing activities from now on.