How did Syntec Numérique build its data processing register for the RGPD?
What approach?
The legal team in charge of Syntec Numérique’s compliance project opted for an exhaustive approach to identify all the union’s personal data processing operations. As I explained in aprevious article, our project manager chose to start with each person’s mission statement, and then conduct interviews with the union’s key people.
This rigorous approach has enabled us to identify 100% of personal data processing in all the union’s processes. And for Syntec Numérique, the trade union, personal data is mainly that of the union’s member representatives and employees.
To build the register, we looked for a tool and finally we built our own, taking inspiration from the documents put online by the CNIL and especially its Belgian counterpart. As a reminder, Syntec Numérique members will findall the practical information they need to take their own procedures further on the website.
We chose to create a spreadsheet listing all actions involving personal data. For example, variable pay elements for employees, or mandate tracking for members. And then, for each line, to specify a wide range of information. For example, the department concerned, the purpose of the processing, the information to be given to data subjects or how the personal data is recorded. The file was then forwarded to all Syntec Numérique employees so that they could complete, modify or validate the information. This is a collective effort involving all the union’s employees, who “handle” this personal data on a daily basis and must ultimately adopt the right reflexes. This essential phase of informing, raising awareness and above all involving employees in Syntec Numérique’s compliance will obviously be the subject of specific and regular actions that will be developed as part of the next stages of compliance.
What lessons can we learn?
We were very surprised to find that our register contained around a hundred lines. We hadn’t imagined the scale of the census. For example, for Syntec Numérique’s human resources department, 16 processing operations involving personal data were listed. This lesson is worth pondering, as it will undoubtedly be experienced by companies when they carry out the same census work to draw up their registers.
What next?
We are now going to work on two actions very quickly. Firstly, we’re going to carry out a security audit of our information systems with regard to the RGPD. This will enable us to clarify certain aspects. And so we’ll be drawing up precise specifications to choose a service provider capable of carrying out this audit satisfactorily. Then we’ll be working on the register drawn up to analyze line by line and confirm choices such as the data retention period or the information given to data subjects.