The GDPR imposes a number of specific reporting requirements upon companies and organisations processing personal data.

The two most important ones concern, on the one hand, the requirement to develop a data processing register and, on the other hand, the demonstrating that each new asset that will be used for – inter alia – the processing of personal data underwent a “privacy by design” scrutiny.

Data processing register

data processing register

The GDPR requires data controllers and data processors with more than 250 employees or if their processing of personal data is “more than incidental” to have a data processing register in place. This data processing register is intended to replace the obligation under national laws of the EU Member States to report their data processing activities to the national data protection authorities.

Now, the question arises what is meant by “more than incidental” data processing activities. When reviewing the positions taken by some of the data protection authorities, it is clear that, by way of example, the systemic processing of customer data is an activity considered to be “more than incidental” personal data processing. In other words: almost each and every company will be required to have such a data processing register in place …

Notwithstanding the fact that the GDPR aims to provide for a single European level playing field for the processing of personal data, the various national data protection authorities have published different recommended formats (in Excel) for reporting their data processing activities.

In order to help you in the process of developing and maintaining your data processing register, we have developed a cloud-based application that will help you in your path to compliance.

Privacy by design and by default.

privacy by design and privacy by default

The GDPR requires a data controller to implement appropriate technical and organisational measures both at the time of determination of the means for processing and at the time of the processing itself.

These measures may include:

  • minimising the processing of personal data;
  • pseudonymising personal data as soon as possible;
  • transparency with regard to the functions and processing of personal data;
  • enabling the data subject to monitor the data processing; or
  • enabling the controller to create and improve security features.

Our solutions


Online data processing register

Our online data processing register allows you to document and detail all data processing activities for each and every department within your organization and with each and every third party with whom personal data is being processed.

Privacy by design reporting

Documenting whether you have applied the right principles when designing new tools through which personal data is being processed will become a more important process within corporations that process a lot of (sensitive) personal data, either for their own or on behalf of customers or suppliers.

Our online tool guides you through this process, and documents and stores findings and recommendations.

Privacy policy checklist

Our privacy policy checker assists you in defining whether a particular privacy policy meets the requirements of the GDPR, depending on the activities of the party processing personal information, the personal data processed and the purpose of such processing.

Data processing agreement checklist

One of the most tedious tasks in becoming “GDPR compliant” relate to contracts with third parties that entail the processing – on your or their behalf – of personal data. Contracts with these stakeholders (which include, inter alia, software developers, hosting companies, HR firms, IT service providers, etc.) need to reflect the obligations set out in the GDPR, and this by May 25, 2018 at the latest.

As said, this task is a tedious one, in particular for companies who have many stakeholders with which they are exchanging personal data. In order to manage the influx of bespoke data processing agreements, we have designed a tool that will help you checking and documenting whether such agreement meets the requirements of the GDPR and is adapted to your needs.

Steven MotmansReporting Obligations