What is the effect on resources in maintaining a Record Of Processing Activities under the Thailand PDPA?
In this article, we concentrate on the technical and operational actions needed to capture an overview of current personal data processing activities. However, this process is not a new invention. As part of the EU GDPR, data protection act European member states are already familiar with their obligation to maintain a record of processing activities to fulfil their member state data protection authorities’ obligations.
Section 40 (3) of the PDPA mandates organizations must “prepare and maintain the integrity of the ROPA (record of processing activities) under the rules and methods set forth by the PDPC. This requires a full summary of the processing activities that occur within an organization and mandates these activities to be documented properly. This will require a proactive approach from, and cross-department collaboration within, organizations.
How does this affect controllers and processors?
All Data Controllers and processors have a responsibility to compile and maintain records detailing all data personal data processing activities within the controller’s organization. The records need to be maintained in two formats, in writing, and a digital format and contain the following information:
(a) the name and contact details of the Data Controller and where applicable, the data protection officer;
(b) the purposes of processing the personal data;
(c) a description of the categories of data subjects and the types of personal data;
(d) the categories of receiving organizations to whom the personal data will be disclosed to including recipients in third countries or international organizations;
(e) the transfers of personal data to a third country or an international organization, including the documentation of suitable safeguards;
(f) the data retention schedule for the erasure of categories of data; and
(g) an overview of the applied technical and organizational security measures.
Additionally, the controller or the processor must ensure records are available to the supervisory authority upon request.
What about Data Processors?
The PDPA mandates more accountability from the controller, but it also requires the same accountability from the involved data processor. Therefore, this obligation also applies to processors. Each processor is mandated to maintain records of all categories of processing activities carried out on behalf of a controller, including the following:
- the name and contact details of the processor and each controller on behalf of which the processor is acting, and Data Protection officer;
- the categories of processing carried out on behalf of each controller;
- transfers of personal data to a third country or an international organization, including the documentation of suitable safeguards;
- a general description of operational and technical security measures used to protect the data.
Operational and technical security measures
Cataloguing records of all the data processing activities within your organization can be a challenge for most organizations. Especially when the processing activities are often spread across an organizations operations. This can be resource-heavy if handled internally.
What is the best practice to complete these works, and what is the best storage for such data? More importantly, how can organizations keep these records maintained and meet the integrity principle of the PDPA?
Below we provide a few suggestions based on our experience with our clients.
- All business units need to be involved
Almost all data processing activities are carried out across your organization’s departments or business units, therefore Identify a department stakeholder ( Champion) to contribute to the data processing activity mapping exercise. Departmental stakeholders can provide valuable and accurate insight into their departments’ data processing activities and help you maintain the integrity of the record of processing activity records. By establishing these relationships with local department stakeholders, they also play a part in introducing new high-risk processing activities or new systems where the controller needs to complete a Data Protection Impact Assessment. Don’t worry; we will be covering DPIA’s in our next article.
- Create and carry out regular reviews with stakeholders
When you have your stakeholders participation, the next step is to create a review process in which new records must be identified, checked, added to the record of processing activities (ROPA). If departments have already completed Data Impact Assessments of the new processing activity, all the information needed to add it to the ROPA will be contained in the DPIA eliminating any duplication of work. This is also a good time to confirm that existing processing activities have not changed or discontinued. Remember, your ROPA must always be up to date and relevant.
Always involve other resources, such as the Information technology team, procurement, and legal teams, as they could also be required to carry out assessments of access, contracts and liabilities, etc.
- Identify a central register for the records.
The records of the processing activity register should be stored in an easy-accessible solution. Therefore take into consideration what is available within the organizational network and any identified off the shelf third party solutions. Organizations should not consider manual intensive solutions such as spreadsheets, pdf’s etc.– but rather use a purpose-built tool. In this way, one central platform will provide a fully functional modular overview of all processing activities that take place together with related data processing contracts, and detailed dynamic maps. The market for privacy tools is expanding rapidly and often expensive. Its also good to consider technical requirements and possibilities within your organization such as access rights, data handling processes etc.
How Can Organizations use this obligation to the benefit of the business?
If completed to a high standard, there is much for the business to gain. The records will provide a complete overview of all data processing activities within the organization, enabling the organization to grasp the kind of data being collected, processed, by whom (which departments or business units) and for what purpose. This knowledge will allow departments such as marketing, data science, customer care, and compliance to enable cross-function efforts or projects with equivalent goals.
FormitiPDPA is an ideal compliance platform for decentralized teams in different timezone’s access, and collaboration is easy, making section 40 (3) ROPA maintenance seamless.