IAB Europe GDPR Compliance Primer 4
The Road to GDPR Compliance
Review and Document Data Processing Activities and Security
Measures
Accountability is a central theme that runs throughout the GDPR. Reviewing and documenting all
your data processing and security activities is a good first step towards this goal.
As part of this process, you should also identify why and how you are processing the personal data
you hold. Getting this basic understanding of data processing activities may require you to pay
attention to special considerations – especially whether you are processing sensitive personal data.
Additionally, the review process may reveal that your processing activities require special
safeguards, so that, depending on the nature of the data processing taking place, the security
processes in place at your company may also need to undergo a reassessment. This is a necessary
step, considering the much higher fines that companies might be subject to in the event of a breach
or other events which could have been prevented or mitigated with more appropriate safeguards.
A good way to approach this exercise is to bring together different departments of your company.
You should avoid a situation where GDPR compliance is left solely to your legal teams, a Data
Protection Officer (DPO), or IT. Interviews and questionnaires with employees from all departments
– and potentially with key suppliers and partners – will allow you to identify what type of data
processing occurs in each area of your company’s work. Understanding all these processes is key.
This allows you as a company to record every type of processing based on their purpose, which
provides an incredibly valuable data processing map to ensure compliance with the GDPR.
Things to Document
As you go through reviewing and documenting your data processing activities you should consider
each on the basis of ‘what, where, when, why’ as well as the expected consequences of the process,
and conduct a risk analysis for each process. Keep in mind this also includes any employee data you
are processing. The following questions may help you in this process:
• What information is given before collecting and processing of data?
• Whose data are you processing, what is it, where is it processed, when is it processed and
why is it processed? (Do you have a legal basis; do you process in accordance with the data
processing principles)?
• What data is anonymised, what data is pseudonymised?
• For how long are you storing such data?
• Who do you share such data with?
• What is the risk level for each process?