Does the GDPR Require a Personal Data Inventory? Answer: No
Many privacy officers seem to be under the impression that Article 30 of the General Data Protection Regulation (GDPR) on records of processing activities creates a legal obligation for a data inventory or data mapping. This is not the case. The GDPR replaces current legal obligations that require you to notify and register your processing activities with local DPAs. Under the GDPR you are no longer required to make such notifications but rather are required to maintain a record of all your organisation’s processing activities internally and to make it available to supervisory authorities upon request. So, just like you had an external register, you now need an on-demand internal record.
This webinar starts with a look at the Supervisor Authority perspective and the rationale behind the creation of Article 30. Then, the webinar will discuss how to incent the business to maintain a processing-based inventory that when used in the EU will turn GDPR article 30 reporting into an outcome. Plus, learn the power of focusing on purposes of data processing and hear from one company who has implemented this approach in practice to understand how it betters aligns with business operations and practices and is much easier to scale, update and maintain. Hear also about local Article 30 GDPR guidance, including the Article 30 template guide recently released by the French data protection authority (CNIL), further highlighting that the intention behind the GDPR records of processing requirement. At the end of the webinar, learn how Nymity created an innovative approach to Article 30 compliance as we spend a few minutes to introduce a software solution that makes Article 30 GDPR compliance the responsibility of the business, with support and oversight coming from the Privacy Office/DPO. It is called Nymity SmartPIA™. Registration Link: https://register.gotowebinar.com/register/4745042867954124801 |