We are having a discussion in our company on what level a Processing activity should be at while implementing a SaaS for managing our RoPA. Some are arguing that we can look at the defined business processes to determine the level, e.g. recruitment is equal to one processing activity, while other argue that we must also define the different sub-tasks under the recruitment process and have each sub-task as their own processing activity in the RoPA.
At what level do you keep them in your company? And what are the pros/cons that you have based on your level of detail?
Magnus T
Hi,
I’m working at DPOrganizer and have discussions on this topic from time to time with our clients. We usually recommend to be a bit broader (the first approach mentioned by you). If you have too many processing activities to manage and keep up to date, the work becomes unmanageable. Processing activities are meant to describe how you process personal data, it needs not to be detailed descriptions of all your business processes (and their sub tasks). I hope that helped a bit.