Processing Activities

What is this workspace template for?

Document all your data handling activities in one or more workspaces. These should include all business processes that either collect or use personal data as well as internal processes that duplicate, transfer or delete data. Select the “Processing Activities – GDPR” template for this purpose. Processing Activities are necessary for generating your Article 30 report.

Component types contained in this template

  • Business Process

  • Manual Step

  • Automated Step

  • Decision Point

The goal here is to at a minimum capture the name of the process. The level of detail is up to your organizational needs. Areas with more or sensitive personal data are often recommended to be more thoroughly documented.

The Business Process component is where you will name your process, describe it, and document the person responsible. We have defaulted the responsible to be an email but this is frequently changed to a role or name.

The Manual Step component is nested in a process name. The point for documenting the underlying steps is to provide more insight into how the process is executed and implicitly how personal data is used. Manual steps are as you would guess, an activity that is performed manually usually by an employee or customer.

The Automated Step component serves the same purpose as the manual but the goal is to identify what steps are automated. Providing a distinction will allow you to also re-use this process documentation to identify points of optimization.

The Decision Point component comes from standard practice in process modeling. The idea is to identify a split in the process depending on some event. A typical example could be at the point of payment if a user decides to choose a credit card or receive an invoice, the paths to completion will vary but are irritated to one another.

Reference types contained in this template

  • Next Step

  • Data Collected

  • Uses

  • Supported by

Defining and using unique reference types is important for analysis and visualizations. If you clearly define your references, you can automate things like gap analysis. An example would be a query asking Ardoq to show you all processes which are collecting personal data for the first time. This would be different than processes that re-use data already owned by the organization.

The Next Step reference is used between processes or step components. This allows you to filter away other information for a clear process flow looking at a single process.

The Data Collected reference is used whenever a process or step collects data for the first time and should be between a step or process name and the related data entity or partial entity (see Master Data). This may be from an external database or from the customer/employee directly. Whenever you use this reference, you will be prompted in the field section to document the Lawful Basis (explained below).

The Uses reference is used whenever a process or step uses data that already exists in an internal system, database, etc. The goal here is to show where personal data is used from a business perspective and also help demonstrate or explain the purpose of usage. Like the Data Collected, you will be prompted to document the Lawful Basis for this usage. The Uses reference should be between processes or steps and data entities or partial entities.

The Supported By reference is used to highlight the underlying applications (systems, tools, etc) which are used in the process. This will be helpful in maintaining an overview of data transfers, storage, access, and security. In addition, this overview will be beneficial to understand the impact of a change in IT or in your process requirements.

Fields contained in this template

  • Lawful basis (list)

  • Responsible (email)

The Lawful Basis field is used to capture the necessary documentation to defend your usage of personal data as referred to in article 6.

The Responsible field is an email field that provides you the ability to show accountability for the processing of the data in that process. We recommend having this at least at the Business Process component level, but it may be valuable to have it on the step level if you are dealing with large amounts of highly sensitive data. Another reason for choosing the email field type is the ability to integrate Ardoq for automated and direct notifications for outages and other cases. We have also seen people use slack IDs and the like for immediate notifications via an API integration.

How to…

List all your data handling activities:

  1. For this purpose, use the component type “Business Process”.

  2. If necessary, map all the steps of each process. For this purpose, use any of the following component types: “Manual Step”, “Automated Step” or “Decision Point”.

  3. Document the order of the flow by creating a reference of the type “Next Step” between each step and the step that succeeds from it.

Map the data entities that each Process either collects or uses:

  1. Use the reference types “Data Collected” and “Data Used” to distinguish between the two, taking care to be consistent when selecting the source- and the target component. The source component should always be of the type “Process”. The target component should always be of the type “Data Entity”, which should be documented in its own master data workspace.

  2. For each such reference, document the lawful basis for the handling of the data in the field “Lawful Basis”.

Did this answer your question?