A Personal Data Processing Activity is an activity or task that is completed as part of a Business Process. For example, CV Collection would be a Personal Data Processing Activity that is part of the Recruitment Business Process, alongside several other Processing Activities.
Data Subjects are individuals whose Personal Data is being collected, held or processed. A Data Record is defined by the type of Data Subject, their region of residency, and finally, by who controls the Personal Data to be processed. The Data Record is utilised across all the Processing Activities via a Processing Event; this allows data to be tracked through its life-cycle and visualised with lineage maps.
A Business Process is a collection of related, structured Processing Activities or tasks that produce a specific service or product. For example, 'Recruitment' would be a Business Process that takes place within a Human Resources Department.
The Business Area Register allows for organisational departments, business units/areas to be added as register records that can be displayed in Privacy Assessments. This allows Business Areas to be linked to other register records, such as Processing Activities and Processing Events, which can then be filtered and reported on.
The Business System Register defines all internal business systems in your enterprise at a high level. A Business System can be a software solution or a collection of technical or physical components, called Assets - see Asset Register. A Business System is defined to be external, or to be in a location; and the data it holds by a sum of its assets. A Business System by itself cannot define these.
The Asset Register defines all the technical or physical assets in the enterprise where the data operations are managed solely by the internal organisation, even if the service is owned and run by a Third Party as a service. In some cases, the Asset could be seen as the ‘child’ of a Business System.
The Data Elements Register defines all the individual data elements in your enterprise. These elements are common across all the Processing Activities. It is used as an integral part in forming the definition of a Data Record; the processing event is used to hold the relationships to create this definition. A specific role of the Data Register is to hold the organisation's classification of the data.
Business/Organisations that manage or supply external business systems/applications are regarded as Third Party Entries in the system, rather than similar Legal Party Entities who manage data processing under contract, even though both can be regarded as Data Processors from a regulatory
Legal Entity (Legal Party)
Legal Party or registered businesses are responsible or active in activities involving the processing of Personal Data. Legal Parties can be either Internal or External:
- Internal Legal Parties can identify the different parts of your organisation, which can represent both regional and global entities.
- External Legal Parties identify businesses which support your data processing; these are typically data joint controller, external controller, processors and sub processors.
A Processing Event is a defined action which stated the resources used in the processing of Personal Data within a named Processing Activity. The types of possible processing events are Collection, Source, Processing, Storage (planned), Access and Transfer.
The Processing Event Register is typically used to help customers with managing complex data structures. For example, if a customer wished to record multiple data transfers for more than one Third Party/Legal party for a processing activity, you would use the Processing Event Register to facilitate this. Please see below an overview of the different processing events types available.
Data Protection and security regulations promote appropriate use of technical and organisational controls for use by controllers and processors when processing Personal Data. The type of control deployed by an organisation depends on the type and conditions of processing (Who? Where? Why?), as well as the sensitivity and criticality of the data used.
The Risk Register allows for risks to be created and linked against multiple records and registers.
Task Register (Risk Mitigation Activities)
The Task Register allows for risks can be created and linked against multiple records and registers.