Everlaw GDPR Documentation Template
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAABACADAEAFAGAHAIAJAKALAMANAOAPAQARASATAUAVAWAXAYAZBABBBCBDBE
1
2
TEAM:
3
OWNER:
4
DATE:
5
[Company] Business Processes and Personal DataData Controller or Processor Data TypeData CollectionData ProcessingData StorageData AccessData Transfer Data RetentionData Security (Art. 32)Data Subject Rights (Art. 15) [may not be applicable] Data Protection Impact Assessment (DPIA) (Art. 35)
6
Date Process OwnerProcess OwnerType of DataData RepositoryRepository ApprovalData Controller Data ProcessorData CategoryData CollectedSensitive Data Elements CommentsReason for CollectionData SourceData Subject LocationLegal Basis for CollectionPurpose for ProcessingLegal Basis for Processing ScenarioRecords of ProcessingDPA StatusProcessing InfrastructureData Storage LocationData Repository LocationData Repository OwnerAccessorMeans of AccessAccessible DataPurpose of AccessTransfer RecipientTransfer MethodData TransferredRetention PeriodRetention OwnerSecurity RequirementsSecurity ActionsSecurity of Processing Transparent CommunicationRight to Basic InformationRight of AccessRight to ErasureRight to Data PortabilityRights to Objection and RectificationRisk Level Processing DescriptionAssessmentMeasures Taken to Address Risk Residual Risk
7
Provide a date when each line item is entered or updated.

Note: This ensures visibility as items change over time.






"






Name the business processes involving the collection, use, or processing of personal data. Use a new line for each process (or sub-process). (1)

Note: Each team will list all relevant business processes. A sales example would be "Sales Solicitation."
What team in [Company] owns the process? This could be a process or a software location.Is the personal data (a) US data subjects, (b) EU data subjects, or (c) Both?

If (a) only, please complete the blue columns. If (b) or (c), please complete all columns to the best of your ability. The Privacy Team will let you know if more information is needed in either case.

Note: This ensures that non-EU data is included on the inventory.
What [Company] asset contains the data? What system holds the data? Use a new line for each system, program, or location where it is stored.

Note: If the same business process uses several repositories for the data, it will have more than one row.
Has the data repository (e.g. software tool, storage location, partner or vendor) been approved via the Vendor Management procedure?

Note: This provides a way to ensure privacy and security vetting of all repositories containing personal data, EU or not.
The organization who alone or jointly with others, determines the purposes and means of processing personal data.The organization who processes personal data on behalf of the controller, acting on the direction of the controller.
List multiple categories if needed. If you choose Other, please describe it.

Ex. Client information, Prospect information, Client data, Employee information, Supplier information, Location data, IP address, Cookies, Other (describe it)
List multiple data types or elements if needed. If the type isn't listed below, add it.

Ex. Client information, Prospect information, Client data, Employee information, Supplier information, Location data, IP address, Cookies, Other (describe it)
Does it contain sensitive data?

Ex. Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation
Add context or description if the data type or element isn't clear. Err on the side of over-describing it.Why do we collect the data? List more than one reason if applicable.

Ex. Staff administration, Client administration, Marketing, Sales, Legal obligations-internal ops, Legal obligations-service, Monitoring or profiling, Processing for 3rd party, Other (describe it).
Where does the data originate?

Ex. individual themselves, third party (name if applicable).
What country does the data subject reside? For clients, use the primary business location in the contract.Choose the legal basis. If you are not sure, list all that might apply.

Legal basis could be one or more of:
Legal obligation (specify), Performance of a contract, Legitimate interests of the data controller (specify), Consent
List the data processing scenarios that use these data types or elements. Processing includes the actions of obtaining, disclosing, and deleting personal data. See (2) for "processing" definition.Choose the legal basis. If you are not sure, list all that might apply.

Legal basis could be one or more of:
Legal obligation (specify), Performance of a contract, Legitimate interests of the data controller (specify), Consent
Are any records of processing kept (or can they be generated)?Is a Data Processing Agreement (DPA) required and is it in place with the vendor?Describe the infrastructure and processes used for each data processing scenario.Where is it? List all locations that apply.

Ex. End user devices (desktops, laptops, mobiles), file servers, virtual environments, cloud environments (any, incl. Box etc.), databases, email, websites, external org, physical/paper storage, other (describe)
List the applicable country.[Company] owned or controlled? Vendor owned or controlled? Other?List of people or processes that access the data.How is access granted and effected? List for each accessor type.Data types available - all or a portion? Describe.What is the business purpose for access?If transferred, name individual or vendor. Note if it is being transferred outside of the originating country, e.g. EU to US.How is data transferred?Data types transferred - all or a portion? Describe.How long is the data retained? Be as specific as possible. If there is no retention period established, describe whether we can make one and what you recommend.Who determines when [Company] deletes the data? Be specific.Describe technical and organizational security requirements for the data, including any special cases or considerations that should be taken into account. Describe the actions taken to secure the data in detail. It is possible that you will have to come back to this section, if remediation actions are required.Choose which of the following processes and controls apply to this personal data: (copy all that apply into the row)Is it clear to data subjects what data is being collected and processed? Consider the language when we obtain consent and in the Privacy Policy or contract. (3)

Can we easily provide data subjects with information on the identity of the controller, the reasons for processing their personal data, and other relevant information? Can we easily document and provide data subjects with information about and access to their data? (4)Can we easily remove the data we collected and processed if requested by the data subject? (5)Can we easily provide the data to a data subject if they wish to move or transfer it? (6)Data subjects have various rights to object to processing (or to correct info). Of note is the right to object to processing for the purposes of direct marketing. Can we easily receive and respond to such objections?Is processing likely to result in high risk? Risk must be analyzed from the view of the data subject. (7)

A DPIA is an assessment of the impact of data processing operations on the protection of personal data, and an assessment of the likelihood and severity of risks for the rights and freedoms of individuals resulting from a processing operation. Under the GDPR, controllers will be required to undertake DPIAs prior to data processing - in particular processing using new technologies - which is likely to result in a high risk for the rights and freedoms of individuals (Article 35).
If high risk, describe processing in more detail. Enter in a description of the processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller. This will require further consultation with the Risk Committee as well as a more in-depth DPIA.If high risk, describe the necessity and proportionality of the processing. (8)If high risk, conduct an assessment of the potential risks to the data subjects. (9)For ALL risk levels, describe measures taken to address the risks and ensure security of the data. Be specific re: your team's actions and do not cite [Company's] security and compliance program in general. Regardless of the risk level, describe the measures taken by your team to address the risks. (10)
Is the level of residual risk high?
8
Pseudonymisation and/or encryption of personal data (e.g. encryption in transit and at rest of data)
9
Ability to ensure ongoing confidentiality, integrity, and availability of processing systems and services (e.g. in-scope SOC 2 Type II audit)
10
Ability to restore availability in the event of an incident (e.g. in-scope for BCP/DR Procedure)
11
Process for regulatory testing effectiveness of security measures (e.g. in-scope for SOC 2, and/or pen and vuln testing)
12
Security risks of processing are addressed in the Risk Register
13
Role-based access to data adhering to least privilege policy, and access pursuant to contracted authority
14
Adherence to Art. 42 Code of Conduct and/or Art. 42 Certification
15
1
16
2
17
3
18
4
19
5
20
6
21
7
22
8
23
9
24
10
25
11
26
12
27
13
28
14
29
15
30
Created by: Lisa Hawke
31
(1) "Personal data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person [Art. 4, Definitions]
32
Art. 4, Definitions (link)
33
(2) "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. [Art. 4, Definitions]
34
(3) In order to ensure that personal data are processed fairly and lawfully, controllers must provide certain minimum information to data subjects, regarding the collection and further processing of their personal data. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Any information provided to children should be in such a clear and plain language that the child can easily understand. [Art. 15, Right of access by the data subject]")
35
Art. 15, Right of access (link)
36
(4) Data subjects have the right to obtain the following:
--confirmation of whether, and where, the controller is processing their personal data;
--information about the purposes of the processing;
--information about the categories of data being processed;
--information about the categories of recipients with whom the data may be shared;
--information about the period for which the data will be stored (or the criteria used to determine that period);
--information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
--information about the existence of the right to complain to the DPA;
--where the data were not collected from the data subject, information as to the source of the data; and
--information about the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on data subjects.
Additionally, data subjects may request a copy of the personal data being processed. [Art. 15, Right of access by the data subject, link above]
37
(5) Data subjects have the right to erasure of personal data (the "right to be forgotten") if:
--the data are no longer needed for their original purpose (and no new lawful purpose exists);
--the lawful basis for the processing is the data subject's consent, the data subject withdraws that consent, and no other lawful ground exists;
--the data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing;
--the data have been processed unlawfully; or
--erasure is necessary for compliance with EU law or the national law of the relevant Member State. [Art. 15, Right of access by the data subject, link above]
38
(6) Data subjects have a right to:
--receive a copy of their personal data in a structured, commonly used, machine-readable format that supports re-use;
--transfer their personal data from one controller to another;
store their personal data for further personal use on a private device; and
--have their personal data transmitted directly between controllers without hindrance. [Art. 15, Right of access by the data subject, link above]
39
(7) HIGH RISK EXAMPLES: *
Automated decision-making with legal or similar significant effect, Evaluation or scoring, Systematic monitoring, Sensitive data element, Data processed on a large scale, Datasets that have been matched or combined, Data concerning vulnerable subjects, Data transfer across borders outside the EU, Innovative use or applying technological or organizational solutions, Where the processing itself prevents individuals from exercising a right or using a service or contract.
MEDIUM RISK EXAMPLES: Processing sensitive personal data, Processing personal data of vulnerable individuals (e.g. children), Large-scale processing of any personal data.
LOW RISK EXAMPLES:
Anonymized data, Pseudonymized data, Secure small-scale processing (strong security, limited purpose, low level risk to individuals)
40
(8) If HIGH RISK is selected, describe the necessity and proportionality of the processing operations in relation to the purpose. *
NECESSITY: The processing operations, the categories of data processed and the duration the data are kept shall be necessary for the purpose of the processing.
PROPORTIONALITY: This requires that only that personal data which is adequate and relevant for the purposes of the processing is collected and processed.
41
(9) EXAMPLES: *
--Risk of tangible, physical and material harms (including financial or economic loss, physical threat or injury, unlawful discrimination, identity theft, loss of confidentiality and other significant economic or social disadvantage); or
--Risk of intangible and non-material harms (such as damage to reputation or goodwill, or excessive intrusion into private life)
EXAMPLES of THREATS:
• unjustifiable or excessive collection of data;
• use or storage of inaccurate or outdated data;
• lost or stolen data or destruction and alteration of data; and
• unjustifiable or unauthorised access, transfer, sharing or publishing of data.
• inappropriate use or misuse of data, including:
a) use of data beyond individuals’ reasonable expectations;
b) unusual use of data beyond societal norms, where any reasonable individual in this
context would object; or
c) unjustifiable inference or decision-making, which the organisation cannot objectively defend
42
(10) EXAMPLES: data anonymisation or pseudonymisation, data minimisation and security measures, team data governance or oversight such as limiting access and data sharing; limiting use by third parties; limiting geographical scope; restricting subsequent processing; implementing new or enhanced security measures, training employees involved in risky processing; deciding not to collect or store particular types of data; limiting retention periods; ensuring secure and permanent personal data deletion; taking steps to ensure that individuals are fully aware of how their personal data are used and can contact the organisation for assistance.
43
*For (7)-(10), see: Guidelines on DPIA and determining whether processing is "likely to result in high risk" 4 April 2017, Article 29 Working Party, available at: ec.europa.eu/newsroom/document.cfm?doc_id=44137
44
Disclaimer:
The materials available here are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem.
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
Main menu