<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>REVEALS</title>
	<atom:link href="https://www.reveals.lu/en/feed/" rel="self" type="application/rss+xml" />
	<link></link>
	<description>leverage the real potential of your data</description>
	<lastBuildDate>Sat, 16 May 2026 05:17:18 +0000</lastBuildDate>
	<language>en-GB</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>

<image>
	<url>https://www.reveals.lu/wp-content/uploads/2024/01/cropped-cropped-MicrosoftTeams-image-32x32.png</url>
	<title>REVEALS</title>
	<link></link>
	<width>32</width>
	<height>32</height>
</image> 
<site xmlns="com-wordpress:feed-additions:1">192687783</site>	<item>
		<title>Data privacy and management : how can we ensure data security ?</title>
		<link>https://www.reveals.lu/en/data-privacy-and-management-how-can-we-ensure-data-security/</link>
					<comments>https://www.reveals.lu/en/data-privacy-and-management-how-can-we-ensure-data-security/#respond</comments>
		
		<dc:creator><![CDATA[LOLA EN]]></dc:creator>
		<pubDate>Sun, 26 Apr 2026 04:50:00 +0000</pubDate>
				<category><![CDATA[English articles]]></category>
		<guid isPermaLink="false">https://www.reveals.lu/?p=4760</guid>

					<description><![CDATA[<p>In an era characterised by an explosion in data volumes, businesses are required to implement an effective privacy and data management policy. They are obliged to comply with the GDPR, which aims to regulate and secure the processing of personal data. Reveals supports you in understanding this regulatory framework, identifying the key issues and implementing [&#8230;]</p>
<p>L’article <a href="https://www.reveals.lu/en/data-privacy-and-management-how-can-we-ensure-data-security/">Data privacy and management : how can we ensure data security ?</a> est apparu en premier sur <a href="https://www.reveals.lu/en/home">REVEALS</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<blockquote class="wp-block-quote is-style-default has-background is-layout-flow wp-block-quote-is-layout-flow" style="background-color:#f7ebec">
<p class="wp-block-paragraph">Key points:</p>



<ul class="wp-block-list">
<li>Businesses must comply with GDPR requirements regarding the protection of personal data.</li>



<li>They must ensure data security in order to prevent the risk of data leaks, hacking or misuse.</li>



<li>The implementation of data governance structures the policy for managing and processing information flows.</li>



<li>This management is a major challenge for businesses in the face of digital and technological development.</li>
</ul>
</blockquote>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<figure class="wp-block-image size-full"><img fetchpriority="high" decoding="async" width="928" height="399" src="https://www.reveals.lu/wp-content/uploads/2026/05/data-management-cover.webp" alt="" class="wp-image-4769" srcset="https://www.reveals.lu/wp-content/uploads/2026/05/data-management-cover.webp 928w, https://www.reveals.lu/wp-content/uploads/2026/05/data-management-cover-480x206.webp 480w" sizes="(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 928px, 100vw" /></figure>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<p class="wp-block-paragraph">In an era characterised by an explosion in data volumes, businesses are required to implement an <strong>effective privacy and data management policy</strong>. They are obliged to comply with the GDPR, which aims to regulate and secure the processing of personal data. Reveals supports you in understanding this regulatory framework, identifying the key issues and implementing practical measures tailored to your business.</p>



<div style="height:50px" aria-hidden="true" class="wp-block-spacer"></div>



<h2 class="wp-block-heading" id="what-is-data-privacy">What is data privacy ?</h2>



<p class="wp-block-paragraph"><strong>Data privacy</strong> refers to all measures designed to protect personal information collected by an organisation, whilst ensuring that individuals retain control over its use. It helps prevent any unauthorised access, use or disclosure.</p>



<p class="wp-block-paragraph"><strong>Personal data</strong> refers to any information that allows a natural person to be identified, either directly or indirectly. This may include their first and last names, telephone number, email address, online credentials, national insurance number or IP address.</p>



<p class="wp-block-paragraph">Protecting this information is a major concern, as misuse can have serious consequences: unsolicited marketing, discrimination or even identity theft.</p>



<p class="wp-block-paragraph">In this context, individuals must be able to retain <strong>control</strong> over their information. They have the right to be informed clearly and transparently about how their data is collected, stored and processed.</p>



<p class="wp-block-paragraph">For their part, organisations are obliged to put in place <strong>protocols</strong> and technical and organisational measures to ensure information security and to comply with the principles of transparency and security.</p>



<div style="height:50px" aria-hidden="true" class="wp-block-spacer"></div>



<h2 class="wp-block-heading" id="what-is-the-regulatory-framework-for-the-personal-data-management-policy">What is the regulatory framework for the personal data management policy ?</h2>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="the-gdpr-the-key-reference">The GDPR : the key reference</h3>



<p class="wp-block-paragraph">The <strong>General Data Protection Regulation</strong> (GDPR), which came into force in May 2018, harmonises practices relating to the processing of personal data at <strong>European</strong> level. Its aim is to strengthen individuals’ rights, hold data controllers accountable and provide a regulatory framework for their activities. This regulation applies to all private and public organisations that collect and process personal data, including businesses.</p>



<p class="wp-block-paragraph">The GDPR is based on six key principles from which other regulations derive :</p>



<ul class="wp-block-list">
<li><strong>Transparency</strong>. Individuals must be informed of how their information is processed and of their rights regarding such processing (correction, access, erasure, etc.).</li>



<li><strong>Purpose</strong>. Information must be collected for legitimate purposes of the organisation (human resources management, customer follow-up, etc.).</li>



<li><strong>The principle of data minimisation</strong>. The company must only collect data that is strictly essential for its proper functioning.</li>



<li><strong>A defined retention period</strong>. Information is retained for a fixed period. The data must then be deleted, archived or anonymised.</li>



<li><strong>Security</strong>. The company must implement all necessary measures to protect the information entrusted to it.</li>



<li><strong>Individual rights</strong>. Individuals must be able to easily access, rectify and delete (“right to be forgotten”) the information provided.</li>
</ul>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph">Data protection regulations are <strong>constantly evolving</strong>. It is therefore essential to keep a close eye on developments and adapt practices accordingly.</p>
</blockquote>



<div style="height:50px" aria-hidden="true" class="wp-block-spacer"></div>



<h2 class="wp-block-heading" id="what-are-companies-obligations-regarding-data-privacy-and-data-management">What are companies’ obligations regarding data privacy and data management ?</h2>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<p class="wp-block-paragraph">The company director is the data controller. As such, they are responsible for putting in place the necessary measures and protocols for the processing and protection of personal data.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="ensuring-transparency-and-respect-for-individuals">Ensuring transparency and respect for individuals</h3>



<p class="wp-block-paragraph">Anyone whose personal data is collected must be informed of how this information is used and for what purpose. They must be provided with a full set of details on this matter, including the name of the data controller, whether the provision of this information is mandatory or not, how long the data will be retained, and the rights they have in relation to this data (access, rectification, objection, portability, erasure).</p>



<p class="wp-block-paragraph">This information must be provided at the time of collection where this is direct, or within one month where it is indirect (as is the case with information obtained from public sources). It must be worded clearly and concisely so that the individual can give their consent freely, in an informed, specific and unambiguous manner. Such consent may be mandatory prior to any processing.</p>



<p class="wp-block-paragraph">Do you have a website? This information must appear on your privacy policy page (which is part of the mandatory legal notices). A cookie management banner may also be implemented, but it is prohibited to pre-tick any boxes.</p>



<p class="wp-block-paragraph">Without prior information, you risk a criminal fine.</p>



<p class="wp-block-paragraph"></p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph">These transparency requirements are not merely legal obligations: they help to foster a climate of trust and enhance your company’s credibility.</p>
</blockquote>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="establishing-data-governance">Establishing data governance</h3>



<p class="wp-block-paragraph"><strong>Data governance</strong> refers to the set of protocols implemented within an organisation to ensure the confidentiality, security, accuracy, availability and usability of information. It encompasses standards, technical processes and organisational systems.</p>



<p class="wp-block-paragraph">To comply with the principle of <strong>accountability</strong> and ensure your company’s compliance with data protection rules, two actions are essential :</p>



<ul class="wp-block-list">
<li>Maintain a <strong>data register</strong>. This records all data processing activities to provide a clear overview of the actions carried out. Keeping such a register is mandatory for organisations with more than 250 employees, but also applies to those below this threshold if you process sensitive data, data relating to criminal convictions, or data that poses a real risk to individuals’ rights and freedoms. This is the case, for example, for financial or healthcare companies.</li>



<li>Appoint a <strong>Data Protection Officer</strong> (DPO). A Data Protection Officer is mandatory if your company processes a large volume of data or if the nature of your business involves large-scale monitoring of individuals.</li>
</ul>



<p class="wp-block-paragraph">Data governance is essential for <strong>structuring the internal management of your data</strong> and driving your growth.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td>At Reveals, we support you in implementing a governance policy that meets regulatory and financial requirements, as well as addressing your business challenges. This enables it to become a strategic tool for accelerating your projects in complete safety.<br>> Discover our <a href="https://www.reveals.lu/en/advisory/" type="page" id="3717" target="_blank" rel="noreferrer noopener">advisory services</a> to help you structure and implement your data governance strategy.</td></tr></tbody></table></figure>



<div style="height:50px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="improving-security-and-anticipating-risks">Improving security and anticipating risks</h3>



<p class="wp-block-paragraph">The security measures to be put in place must be proportionate to the nature of the data being processed and the specific risks associated with your business.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h4 class="wp-block-heading">Regulating data processing</h4>



<p class="wp-block-paragraph">Start by establishing a framework for data processing :</p>



<ul class="wp-block-list">
<li>Identify the data processing activities and the media used ;</li>



<li>Map out the interconnection and data flow diagrams from collection to deletion ;</li>



<li>Draw up an action plan dedicated to your company’s IT security ;</li>



<li>Schedule regular checks to identify any new risks.</li>
</ul>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h4 class="wp-block-heading">Develop a logging system</h4>



<p class="wp-block-paragraph">A <strong>logging</strong> system records all technical and business-related user activities, as well as any anomalies or security-related events. It is an essential tool for detecting incidents and responding to data breaches.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h4 class="wp-block-heading">Taking action on multiple levels</h4>



<p class="wp-block-paragraph">To enhance security, there are several measures that can be taken, including :</p>



<ul class="wp-block-list">
<li>Restricting user <strong>authentication</strong> and <strong>authorisation</strong>. Assign a unique username to each individual and limit access according to their authorisation level.</li>



<li><strong>Protecting IT equipment</strong> and the network. Installing firewalls, setting up automatic session lock-out systems, regularly updating antivirus software, segmenting the network, and deleting data from a workstation before it is reallocated are examples of common measures. Your teams must also be made aware of the risks associated with the use of mobile devices (theft, connecting to unsecured public networks).</li>



<li>Securing servers. This can be achieved using the <strong>TLS protocol</strong> for <strong>data encryption</strong>, as well as malware detection software.</li>



<li>Perform regular <strong>data backups</strong> (including one offline). Remember to protect these backups to the same standard as your production systems.</li>
</ul>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h4 class="wp-block-heading">Assess the risks</h4>



<p class="wp-block-paragraph">The level of risk must be assessed on a regular basis, in line with the level of risk associated with your business. In the event of an incident, your company must be able to demonstrate that it has taken appropriate measures.</p>



<p class="wp-block-paragraph">Where data processing poses a significant risk to the rights and freedoms of individuals, a data protection <strong>impact assessment</strong> (DPIA) must be carried out. This involves assessing the risks, the proportionality of the actions taken and the measures envisaged to manage them.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h4 class="wp-block-heading">Create management protocols</h4>



<p class="wp-block-paragraph">Any security incident must be handled in accordance with a <strong>formal procedure</strong>. The document must set out the criteria for classifying the incident and the people to contact in the event of a problem. Please note that in the event of a breach that is likely to infringe on individuals’ rights and freedoms, you have <strong>72 hours</strong> to notify the CNIL.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="monitoring-data-flows-to-third-parties">Monitoring data flows to third parties</h3>



<p class="wp-block-paragraph">If you use third-party organisations to manage your data, you should check that they offer sufficient safeguards. Request the organisation’s security policy and verify their expertise and resources. You should then draw up a data processing agreement to formalise the purpose of the processing, set out the division of tasks and responsibilities, and specify the procedures for processing the information.</p>



<p class="wp-block-paragraph">If you use an organisation based outside the EU, check that its country of residence is covered by an adequacy decision from the European Commission (the list is available on the CNIL website). If no decision has been issued, you should require guarantees from the organisation: adherence to a code of conduct, the signing of a contract incorporating the European Commission’s standard contractual clauses, or the implementation of binding corporate rules.</p>



<div style="height:50px" aria-hidden="true" class="wp-block-spacer"></div>



<h2 class="wp-block-heading" id="what-are-the-issues-and-challenges-involved-in-implementing-this-for-companies">What are the issues and challenges involved in implementing this for companies ?</h2>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="the-risks-of-non-compliance">The risks of non-compliance</h3>



<p class="wp-block-paragraph">The implementation of a privacy and data processing policy is mandatory and governed by law. In the event of non-compliance, the company faces significant financial penalties, or even criminal sanctions.</p>



<p class="wp-block-paragraph">Beyond the legal aspect, any data breach also has an <strong>impact on the company’s reputation</strong>. Conversely, a strict policy serves as a means of strengthening consumer confidence.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="technological-development">Technological development</h3>



<p class="wp-block-paragraph">The digitisation of tools and storage systems (the cloud, connected devices), as well as the development of artificial intelligence and big data, are heightening the challenges associated with data management.</p>



<p class="wp-block-paragraph">These developments make information processing more <strong>complex</strong> and increase the risk of potential security breaches. It is therefore essential to establish a <strong>governance policy</strong> that is adapted to current challenges.</p>



<p class="wp-block-paragraph">Respecting confidentiality in data management is a major challenge in the <strong>digital transformation of businesses</strong>. Within the framework of the GDPR, the aim is to ensure the useful and consistent processing of information to accelerate the growth of organisations whilst guaranteeing data protection. Whilst these obligations represent an organisational and technical constraint, they also constitute an essential lever for building trust. Reveals supports you in establishing a governance policy tailored to your business challenges. Contact us to identify the key areas for structuring your data flow processing to accelerate your growth.  </p>



<div style="height:50px" aria-hidden="true" class="wp-block-spacer"></div>



<h2 class="wp-block-heading" id="qa">Q&amp;A</h2>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="what-is-personal-data">What is personal data ?</h3>



<p class="wp-block-paragraph">Personal data is information that directly or indirectly identifies an individual. Examples include a surname, first name, home address, IP address, telephone number or fingerprint.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="what-is-the-difference-between-the-gdpr-and-the-cnil">What is the difference between the GDPR and the CNIL?</h3>



<p class="wp-block-paragraph">The GDPR is the European regulation governing the protection of personal data. The CNIL is the French authority responsible for its enforcement within France. It supports organisations in achieving compliance.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="what-are-the-stages-involved-in-data-processing">What are the stages involved in data processing ?</h3>



<p class="wp-block-paragraph">Data is first collected and then recorded. It can then be used, modified or even shared if necessary. It is retained for a specified period before being deleted or anonymised.</p>
<p>L’article <a href="https://www.reveals.lu/en/data-privacy-and-management-how-can-we-ensure-data-security/">Data privacy and management : how can we ensure data security ?</a> est apparu en premier sur <a href="https://www.reveals.lu/en/home">REVEALS</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.reveals.lu/en/data-privacy-and-management-how-can-we-ensure-data-security/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">4760</post-id>	</item>
		<item>
		<title>GDPR records : why and how should they be kept ?</title>
		<link>https://www.reveals.lu/en/gdpr-records/</link>
					<comments>https://www.reveals.lu/en/gdpr-records/#respond</comments>
		
		<dc:creator><![CDATA[LOLA EN]]></dc:creator>
		<pubDate>Fri, 24 Apr 2026 05:07:53 +0000</pubDate>
				<category><![CDATA[English articles]]></category>
		<guid isPermaLink="false">https://www.reveals.lu/?p=4781</guid>

					<description><![CDATA[<p>Are you looking to set up a GDPR register within your organisation? This document enables you to centralise all your personal data processing activities so that you can manage your strategy and remain compliant with your data protection obligations. Reveals explains how to create and maintain a record of processing activities. What is a data [&#8230;]</p>
<p>L’article <a href="https://www.reveals.lu/en/gdpr-records/">GDPR records : why and how should they be kept ?</a> est apparu en premier sur <a href="https://www.reveals.lu/en/home">REVEALS</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<blockquote class="wp-block-quote has-background is-layout-flow wp-block-quote-is-layout-flow" style="background-color:#f7ebec">
<p class="wp-block-paragraph">Key points :</p>



<ul class="wp-block-list">
<li>A GDPR register lists all data processing activities ;</li>



<li>It is mandatory for many organisations that handle personal data ;</li>



<li>Its contents must be updated as soon as any processing activities change ;</li>



<li>It is a management tool designed to secure your data and improve your internal processes.</li>
</ul>
</blockquote>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<figure class="wp-block-image size-full"><img decoding="async" width="928" height="399" src="https://www.reveals.lu/wp-content/uploads/2026/04/registre-rgpd.webp" alt="" class="wp-image-4496" srcset="https://www.reveals.lu/wp-content/uploads/2026/04/registre-rgpd.webp 928w, https://www.reveals.lu/wp-content/uploads/2026/04/registre-rgpd-480x206.webp 480w" sizes="(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 928px, 100vw" /></figure>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<p class="wp-block-paragraph">Are you looking to set up a <strong>GDPR register</strong> within your organisation? This document enables you to centralise all your personal data processing activities so that you can manage your strategy and remain compliant with your data protection obligations. Reveals explains how to create and maintain a record of processing activities.</p>



<div style="height:50px" aria-hidden="true" class="wp-block-spacer"></div>



<h2 class="wp-block-heading" id="what-is-a-data-processing-register">What is a data processing register ?</h2>



<p class="wp-block-paragraph">Governed by Article 30 of the General Data Protection Regulation, the record of processing activities (also known as the GDPR record) is an internal document that centralises all the <strong>procedures</strong> through which your organisation collects, uses and manages <strong>personal data</strong>. It provides you with a comprehensive overview of your processing activities, enabling you to identify practices that need to be improved and to verify that each procedure put in place is genuinely useful and relevant to your organisation.</p>



<p class="wp-block-paragraph">It is a key document for ensuring compliance with the principle of <strong>accountability</strong>. It lists all the measures implemented by your company to comply with the obligations of the GDPR. It is one of the first documents requested during inspections by the CNIL (French Data Protection Authority). It enables you to demonstrate that you comply with European regulations on the protection of personal data.</p>



<p class="wp-block-paragraph">Note that there are two types of register :</p>



<ul class="wp-block-list">
<li>A register for data controllers;</li>



<li>A register for data processors</li>
</ul>



<p class="wp-block-paragraph">If your company is both a data controller and a data processor, you will need to maintain two separate registers. This situation is particularly common among HR firms and IT service providers.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph">Good to know : you can find a downloadable example of a simplified GDPR processing register on the CNIL website.</p>
</blockquote>



<div style="height:50px" aria-hidden="true" class="wp-block-spacer"></div>



<h2 class="wp-block-heading" id="who-is-required-to-keep-a-gdpr-record">Who is  required to keep a GDPR record?</h2>



<p class="wp-block-paragraph">In principle, all organisations that collect personal data (from their employees, customers, suppliers, etc.) are required to maintain this record of processing activities. However, the regulations provide for <strong>exemptions</strong> for organisations with <strong>fewer than 250 employees.</strong></p>



<p class="wp-block-paragraph">Such organisations are actually required to maintain this register when they process data of a sensitive nature (health, biometrics, etc.) that may pose a risk to <strong>personal freedom</strong>. If you are unsure about the nature of the data you manage internally, the CNIL recommends that you include this information in your register. In fact, if you work in a financial institution, it is still necessary to create and regularly update this document even if you are a small independent organisation (such as a brokerage firm).</p>



<div style="height:50px" aria-hidden="true" class="wp-block-spacer"></div>



<h2 class="wp-block-heading" id="what-is-the-value-of-this-document-for-businesses">What is the value of this document for businesses ?</h2>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="comply-with-gdpr-regulations">Comply with GDPR regulations</h3>



<p class="wp-block-paragraph">Since 2018, all organisations collecting data from European residents have been required to comply with the General Data Protection Regulation. When you collect and process personal information (such as your customers’ names and contact details), you must put in place all necessary measures to protect it.</p>



<p class="wp-block-paragraph">The processing activity register formalises this approach. By documenting exactly why and how each type of information you use is processed, you have a solid basis for demonstrating your <strong>compliance</strong>.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="identify-the-data-most-at-risk">Identify the data most at risk</h3>



<p class="wp-block-paragraph">Sensitive data requires the implementation of advanced security measures. This will enable you to tailor your approach according to the level of <strong>sensitivity</strong>.</p>



<p class="wp-block-paragraph">It is important to ensure that only authorised personnel have access to it. You can also implement advanced security measures, such as encrypting your data or strengthening the security of your servers and IT network.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="check-that-your-data-is-actually-useful-to-your-business">Check that your data is actually useful to your business</h3>



<p class="wp-block-paragraph">Your organisation is required to comply with the principle of <strong>data minimisation</strong>. This means that you must only process information that is relevant to the fulfilment of a legitimate, explicit and specific purpose. If certain data is not justified, you must delete it.</p>



<p class="wp-block-paragraph">Reveals supports you in strengthening your data governance. We help you structure areas of responsibility and implement appropriate management systems. Discover our <a href="https://www.reveals.lu/en/advisory/" type="page" id="3717" target="_blank" rel="noreferrer noopener">data governance advisory services</a> to structure and manage your data.</p>



<div style="height:50px" aria-hidden="true" class="wp-block-spacer"></div>



<h2 class="wp-block-heading" id="how-do-you-create-a-record-of-processing-activities">How do you create a record of processing activities ?</h2>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<p class="wp-block-paragraph">You are free to create a record either in electronic or paper format. However, it must include certain essential information.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="the-data-controllers-record">The data controller’s record</h3>



<p class="wp-block-paragraph">Your record lists all processing activities in the form of <strong>individual entries</strong>.</p>



<p class="wp-block-paragraph">Each entry must include the following details:</p>



<ul class="wp-block-list">
<li>The name of the processing activity;</li>



<li>The name and contact details of the data controller responsible for the processing activity, as well as those of the company’s Data Protection Officer (DPO), where applicable;</li>



<li>The purposes of the processing activity (specifying the primary purpose and any secondary purposes);</li>



<li>The categories of personal data involved in the processing activity;</li>



<li>The categories of data subjects (who the information relates to);</li>



<li>The recipients of the data (including processors);</li>



<li>The list of security measures implemented to protect the data;</li>



<li>Any data transfers carried out;</li>



<li>The planned retention periods.</li>
</ul>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="the-processors-record">The processor’s record</h3>



<p class="wp-block-paragraph">If you also process your clients’ data, you must maintain a record of categories of processing activities.</p>



<p class="wp-block-paragraph">Each entry must contain the following information:</p>



<ul class="wp-block-list">
<li>The name and contact details of your organisation;</li>



<li>The name and contact details of your client, their data controller and, where applicable, their representative;</li>



<li>The name and contact details of your processors (where applicable);</li>



<li>The categories of processing activities concerned;</li>



<li>The security measures implemented;</li>



<li>Any transfers of data to a third country or international organisation, along with the associated safeguards.</li>
</ul>



<p class="wp-block-paragraph">You may supplement this record with any information you consider useful.</p>



<div style="height:50px" aria-hidden="true" class="wp-block-spacer"></div>



<h2 class="wp-block-heading" id="how-should-you-maintain-and-update-your-gdpr-record">How should you maintain and update your GDPR record ?<br></h2>



<p class="wp-block-paragraph">This record is maintained by the data controller, a processor or the <strong>Data Protection Officer</strong> (DPO), if the organisation has one.</p>



<p class="wp-block-paragraph">When creating it, all activities involving the use of personal data should be identified. Within a company, this may include recruitment, HR management, payroll management, customer portfolio management or employee training.</p>



<p class="wp-block-paragraph">To begin your initial assessment, contact all departments and individuals within your organisation who use personal data. You should also review your website to identify all information collected through online forms.</p>



<p class="wp-block-paragraph">Next, list all activities involving personal data. You can then complete one entry per activity and gain a clear overview of all processing operations carried out within your organisation.</p>



<p class="wp-block-paragraph">Finally, assess the risks related to data security in order to implement the necessary actions to remain compliant with the GDPR.</p>



<p class="wp-block-paragraph">And remember to update this record whenever a process changes. Any modification must be recorded to ensure the accuracy of the document.</p>



<div style="height:50px" aria-hidden="true" class="wp-block-spacer"></div>



<h2 class="wp-block-heading" id="who-should-this-personal-data-record-be-shared-with">Who should this personal data record be shared with ?</h2>



<p class="wp-block-paragraph">This is an internal company record. However, it may be requested by the CNIL as part of a GDPR compliance inspection. During such an inspection, the authority verifies that the procedures in place guarantee the security of personal data during processing.</p>



<p class="wp-block-paragraph">Implementing a GDPR record is an essential step for any organisation that processes personal data. Beyond regulatory compliance, this document provides a clear overview of your practices, helps identify areas for improvement and strengthens the security of your processing activities. Reveals supports businesses in implementing governance policies tailored to their needs in order to secure and fully leverage their data. Contact us to deploy a control and monitoring framework adapted to your organisation.</p>



<div style="height:50px" aria-hidden="true" class="wp-block-spacer"></div>



<h2 class="wp-block-heading" id="qa">Q&amp;A</h2>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="what-gdpr-records-are-mandatory">What GDPR records are mandatory ?</h3>



<p class="wp-block-paragraph">There are two types of data processing records: the record maintained by the organisation collecting the information and the record maintained by processors. Where an organisation performs both roles, it must maintain two separate records.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="how-often-should-the-record-of-processing-activities-be-updated">How often should the record of processing activities be updated ?</h3>



<p class="wp-block-paragraph">It must be updated whenever a data processing procedure changes.</p>



<div style="height:30px" aria-hidden="true" class="wp-block-spacer"></div>



<h3 class="wp-block-heading" id="what-are-the-penalties-for-failing-to-maintain-a-processing-record">What are the penalties for failing to maintain a processing record ?</h3>



<p class="wp-block-paragraph">If an organisation processing personal data fails to maintain a GDPR record in accordance with European regulations, it may face a fine of up to €10 million or up to 2% of the company’s annual worldwide turnover.<br><br><br><br></p>
<p>L’article <a href="https://www.reveals.lu/en/gdpr-records/">GDPR records : why and how should they be kept ?</a> est apparu en premier sur <a href="https://www.reveals.lu/en/home">REVEALS</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.reveals.lu/en/gdpr-records/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">4781</post-id>	</item>
	</channel>
</rss>
