Less Documentation Effort in Data Protection

Documentation is an unpopular task. In terms of data protection, companies see this as far too much effort. But you can’t do without it entirely. But what is possible is to significantly limit the documentation work without violating the General Data Protection Regulation (GDPR). We provide tips on how to reduce the effort involved in data protection documentation.

“I can’t get to data protection because of all the documentation,” many companies think. In general, documentation is not an activity that triggers enthusiasm in most employees. When documentation and data protection come together, things often look even worse: the implementation of specifications that, for example, restrict the use of data and thus block business opportunities from the point of view of many companies, must also be described and explained in detail.

Documentation shouldn’t be viewed negatively, it’s not about unnecessary descriptions and records. Rather, documentation is always part of the business and also part of data protection, for many reasons. As will be shown below, data protection documentation is truly useful to an organization and not just a chore.

What regulators say about documentation requirements

Many companies fear that they will have to provide mountains of documents if there is an examination by the responsible supervisory authority or a data breach occurs. It is therefore worth taking a look at the explanation of the documentation requirements by the supervisory authorities.

These explain: The GDPR obliges the person responsible to prove that personal data is processed lawfully (accountability). In addition, the GDPR provides for documentation requirements at various points, for example for the processing directory, for the documentation of data protection incidents or for the documentation of instructions in the context of order processing. The data protection impact assessment (DPIA), a type of risk analysis, also requires extensive documentation.

Unfortunately, it is not the case that the so-called register of processing activities, i.e. the list of processing of personal data, is a kind of overall documentation, it is rather a core part of the documentation in data protection, but not everything.

The supervisory authorities emphasize that the creation of the list of processing activities does not meet all the documentation requirements required by the GDPR. For example, the existence of consent, the correctness of the entire processing and the result of data protection impact assessments must be proven by appropriate documentation.

READ:  The Color of Security: Working Safely with Last Pass

Why this is necessary: ​​Accountability

A key reason for having to document all of this is so-called accountability. But this does not only apply to data protection. The European Data Protection Supervisor says: Accountability is a general principle for organizations in many different fields. They are intended to ensure that organizations meet the expectations placed on them, for example in relation to the delivery of their products and the behavior towards the actors with whom they interact. Accountability is expressed in the General Data Protection Regulation (GDPR) as a principle that organizations must take appropriate technical and organizational measures and be able, upon request, to demonstrate what they have done and demonstrate the effectiveness of their actions.

This includes, among other things, the following measures: appropriate documentation of which data is processed in what way, for what purpose and for how long, documented processes and procedures for the early resolution of data protection problems when setting up information systems or for reacting to data protection violations and the integration of one or a data protection officer in organizational planning and operational processes.

What is really expected: Adequate documentation

Even if the demands made by the supervisory authorities sound very extensive: If, for example, there is an audit by the supervisory authority, nobody expects that there will be a file warehouse full of data protection records.

Rather, the supervisory authorities have very clear ideas about what absolutely has to be in place. A good example is an audit of existing ransomware protections, which regulators are currently investigating.

The documentation should then be available in particular: a complete and up-to-date overview of all IT systems and IT components used (such as clients, servers, firewalls, switches, VPN endpoints, not to forget IT in the home offices), i.e. an IT inventory and network plan, a regular evaluation of information on security gaps in the components used and a description of patch management, a backup concept, logs for checking data traffic, a logging and analysis concept, training documentation on data protection and data security, an authorization concept, these are essential parts of the Documentation that a supervisory authority expects here.

READ:  What is Bring Your Own Identity (BYOI)?

Admittedly, that’s quite a lot of documents that should be available. But this documentation is not an end in itself and also not something that has to be done only for data protection. Rather, these documents should also be available from the point of view of the IT department and IT security. This knowledge already contains a key to reducing the effort involved in data protection documentation.

The most important thing: avoid duplication of effort, use synergies, see advantages

Companies make the little-loved documentations in many areas, including those whose importance for marketing and customer image is seen much more strongly than in the case of data protection.

Quality management also requires extensive documentation. Here you should see what synergies there are with the documents that data protection requires. When describing a process, it is best to put on both glasses, that of quality management and that of data protection.

Then you should also see the advantages of good documentation, because it can not only serve as proof in supervisory checks or in the event of a data breach. Good descriptions that do not concern confidential areas are suitable, for example, for the induction and training of employees.

Last but not least, good documentation can also help to uncover gaps in procedures and processes, because if you describe something, flaws become more visible. Concept work on backup, for example, not only helps with GDPR accountability, but can also lead to better backup processes.

Documentation should therefore never be seen as an end in itself, but as part of appropriate data protection and good corporate governance.