Processor overhaul
This release mainly centers around changes made to processing activities handled by Processors. It represents a major first phase intended to align the GDPR software with Article 30.2 of the GDPR, which states that all Processors shall maintain a record of all categories of processing activities carried out on behalf of a Controller.
In practical terms, prior to this release, the data fields for processing performed by Processors were an abridged version of those provided for Data Controllers. With this new release, the two sets of fields are virtually identical. The only real difference between Processors and Data Controllers lies in their respective Article 30 requirements.
In a nutshell, a Processor has the same Article 30 requirements as a Data Controller, except that for Processors:
-
the Recipients section is not required
-
the Impact assessment (PIA) section is not required
What this means for you
Since more data is now required for Processors to achieve Article-30 compliance, Processor processing activities that were Article-30 compliant before this release may no longer be.
To help you update your Processor processing activities to achieve Article-30 compliance, see the updated article Creating Article 30-compliant processing.
Note that in Extended mode, the requirements to achieve 100% completion are now identical for Data Controllers and Processors. See Completing processing in Extended mode.
Don’t lose your data!
In the former version of the GDPR software, in the Security measures section for Processors, the page consisted of two lists of security measures, internal and external, that were not linked to any particular building, software or hardware.
Now, the Security measures section is the same as for Data Controllers, i.e. security measures must be linked to specific buildings, hardware or software.
For existing Processor processing activities that have security measures selected, to avoid losing the data, the information has been kept on the new page under a tab called Retrieved data. It is up to you to reallocate each security measure to the appropriate buildings, software or hardware in the Building access control measures and IT security measure tabs.
The “Retrieved data” tab is temporary. THE INFORMATION IT CONTAINS WILL BE PERMANENTLY DELETED AT THE END OF THE YEAR. If you wish to keep this information, reallocate it to the other tabs before the year ends!
TIP: If you're not sure you'll have time to reallocate the information, make screen captures!
Identical, virtually
We already mentioned that processing activity pages are virtually identical for Data Controllers and Processors. So what part isn’t identical? Third party qualifications. The dropdown menus are slightly different to take account of the specific qualifications required by Data Controllers or Processors when assigning third parties.
Other improvements
Data controller/Processor page title
At the top of the page, next to the title, you can see whether the processing activity is performed by a Data Controller or a Processor.
Processing search bar
-
The search bar that already exists at the top of the page of each processing activity has been added to the general processing page.
-
Searches cover both processing activity names and area names.
-
The search bars are now case-insensitive and accent-insensitive.