Table of contents
In the navigation menu select the “Processing Activities” menu item (Article 30 GDPR).
As described in section regarding Master Data, NiōBase will supply a series of templates for processing activities. These can be used for the implementation of the GDPR requirements within your organization, however they must be examined in detail. It is very important to pay special attention to the processors, systems, data subject categories, and technical and organizational safety measures and adapt them if necessary. Please also check a potential risk and a data protection impact assessment that may be required, if you use special categories in accordance with Article 9 GDPR.
Before you start examining and adjusting the templates, we recommend you to familiarize yourself with the system by creating a new processing activity.
In the following steps, we will show you how to create a processing activity based on the example of “Travel Management”.
1. Create a Processing ActivityIn the overview of processing activities, click on 'New' in the top right, as displayed in the previous screen. You will then be shown the following screen (extract) and can start with the entry of a new processing activity.
The screens are displayed in two columns. If you have a screen with a lower resolution, then all the fields in sequence may be displayed in one column. If you are not yet familiar with the system and the definition of processing activities within the framework of the GDPR, we recommend to start with the left column and fill in all the necessary information scrolling down. Afterwards you should continue with the TOMs on the right side.
5. Select Data Subject Categories
Now, in the “Data Subjects” section (Data Subject Categories) add the data subjects (employees, customers, etc.) as well as their data categories (name, address, birth data, etc.). First select the relevant Storage Period1 that is legally required for this purpose2. List all categories individually (in the future you will be able to state the storage period collectively). Missing storage periods can be subsequently entered under “Storage period” in the “Categories” navigation section3.
1 If you have any questions, please contact your legal adviser, data protection coordinator or officer or your Chamber of Trade or Commerce.
2 For this purpose contact your data protection controller or officer or your legal counsel, if necessary.
3 Unfortunately, your storage periods are not collectively available in all countries. Those from Austria can be found using the following link:
https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-speicher-und-aufbewahrungsfristen.html, accessed on 26/05/2018. If necessary, please contact your legal adviser, data protection coordinator or officer or your Chamber of Trade or Commerce.
7. Specify a Target System
With the integrated logic, the system is able to automatically recognize the next step and requests you to select the previous processing activity “Personnel file management”. In the next step, select the “System” and choose the appropriate HR software - in this example 'Salesforce'.
Now the following entries should be available to you:
8. Add Data Processing
Now using the '+ Add data processing' function add the data transfer to hotels because you will be forwarding personal data for the hotel booking for the purposes of Travel Management.
Now using the “+ Add data processing” function add the other data transfers to railways, airlines, car rentals, embassies, immigration authorities or the like or those that you require for your business activities. In doing so, always keep the data subject categories in mind that you will be recording in the next step.
Previously, you should have had a screen with entries that looked similar to the one below:
10. Set Access Permissions
Now specify who in your organization has access to this data in the company. The selected roles are typical but can differ in each organization. Please examine this very closely and select the appropriate roles. If roles are missing, you can add them right here using the '+ Add Job Title' function without having to leave this screen. The roles will then be immediately available for other processing activities.
11. Create a Risk Analysis
In the next step, you must create a risk analysis. If necessary, this must be compared with a data protection impact assessment and with the technical and organizational safety measures (TOMs) that have already been taken. A Data Breach Notification process is necessary where appropriate.
For this purpose NiōBase offers a template with a typical process for a possible data breach.
The template must be examined and possibly adapted in your organization for the application.
Refer to the GDPR legal text relevant to these issues in NiōBase under the “GDPR” navigation section. The appropriate notes can be found in Articles 32, 33, 34, 35 and 36. Furthermore, if necessary, please refer to your legal adviser, data protection coordinator or officer or your Chamber of Trade or Commerce.
1. Make an assessment for the risk analysis. This must be carried out manually.
2. Describe the assessment made for the risk analysis. Important: You must also describe your risk assessment, even if you classed the risk as low.
3. The controller will be set to active depending on your assessment.
13. Take additional measures
Depending on the processing activities and the technical and organizational measures taken within the framework of the risk analysis, data deletion as well as data correction processes and data minimization measures could be necessary. The necessary processes can be linked directly provided they are saved in the system. Furthermore, it is possible to link documents that contain the appropriate measures and those that you previously uploaded via the document management function (“Operative“ - “Documents” navigation section) or linked externally.
Regularly save your entries and finalize the entry by clicking on 'Update'.
Set Processing Activity as active
If your processing activity is completely defined, you can use the “Status” drop-down menu and set it to “Active”. A slider will appear, which you can use to specify a time frame. This makes sense if the processing activities change through the years and you copy and modify a processing activity and deactivate the old one. Thus, you have completed the History required by the GDPR.