Work processes are in GDPR-context processes in which processing of personal data concludes. Work processes are also called processing activities in different legal texts. Personal data is defined as all information that can identify an individual. All work processes need to be mapped, even if it’s only a name that’s included.
How to work with work processes
When clicking ‘create’ (1) I the left corner in the overview of work processes or ‘edit’ (2) next to a work process, you will open a longer form. When the form is completed, it will contain all the necessary information, which forms the basis of your GDPR-compliance. You don’t have to fill out all the fields right away, but through time every field of the form must be completed.
3. Here you can click on copy, archive, export and delete. Read more about the different functions here.
The form will continuously change, after the choices you make and the information you provide. This is a part of making your work with the work process more manageable.
Down below, all the fields of the form will be gone through with a short description of which information you need to provide in the individual fields.
In this form, you will see some different icons next to some fields. Here is an example of the icons:
In this field you must enter the name, you want to know the process by. It’s up to you what the name should be, but it’s important that you choose a name, that makes it manageable for you, to know the process by.
To get some inspiration for names for work processes you can go to the item “templates” in the menu bar to the left in the portal and find a guidance document.
Responsible and responsible department
All work processes must have an internal responsible. In the field of responsible you can choose between entering the position of the person, that is responsible or the person by name. You can also press the icon at the right of the field: ‘Use account users’, that will change the field to a bar with an overview of the account users, in which you can click on the user, who is responsible for the process. Which of the options you choose, is the one, that is most practical for you.
In the field below responsible is the field ‘responsible department’. By clicking on the field an overview of departments will show. If there’s missing a department, you can add a department by clicking on ‘Add department’ below the field.
Description of the process and purpose of the data processing
When having a work process, it’s important to know what you do in the process from start to finish and why you process personal data in connection with the work process.
In the field description you must describe what you do in the work process.
In the field purpose of the data processing you must descripe why you process personal data in connection with the work process.
Data controller or data processor?
In the form you must enter if you are data controller or data processor in connection with the work process.
The choice of role in connection with the work process will make the form adapt. If you are data processor the later fields regarding legal basis will become inactive, as it’s the data controller that needs to enter this information. When choosing the role ‘data processor’ a new field will show below. In the field you must enter who the data controller is, that you’re processing data for. The field will open a list of data controllers. If a data controller is missing from the list, you can add one by clicking on ‘Create data responsible’ and add a data controller yourself. It’s only recommended to use this field if the list of data controllers isn’t too long. If you are data processor for all your clients, it isn’t necessary to enter all of them in the work process.
You can also choose ‘Joint controllers’ and if you choose this type, it can be relevant to use the field ‘Any comments on data controller or data processor’ to give a further explanation of the joint controlling.
Which systems are used? / Where is information stored?
In this field you must enter which systems, that are used when processing data and where the data is stored. When clicking on the field, a list will open showing the different systems. If a system is missing, this is how you add it:
When clicking on the field (1) a form will open. There are information boxes for all fields. The choices you make in this field will adapt the forms fields and choices in connection with the choice of data recipients and where data regarding the registered is stored.
Who is data shared with?
In this field you must enter all the data recipients, which receive data in connection to the work process.
When clicking on the field, a list of data recipients will open. If a data recipient is missing, you can add it this way:
Click on ‘Add data recipient’ (1) to open a form. There are information boxes for all fields.
Who is the data about?
In this field you must create the data subjects regarding the work process.
- Click on ‘Add data subject’. A form will open.
- Type: By clicking on this field a list will open with the different types of subjects. If a type is missing, you can write it manually and press enter.
- Ordinary information: By clicking on this field a list will open with different types of ordinary information. If an information is missing, you can write it manually and press enter.
- Special information: By clicking on this field an exhaustive list with special information will open.
- Sensitive information: By clicking on this field an exhaustive list with sensitive information will open.
- Add IT system / Information asset / Data recipient to all listed data: This field will adapt after the information you have entered across. The form will update and section the information. For every information, you must choose IT system / information.
- Create: Click create, when you have completed the form. If you need to add more than one data subject in the work process you simply start this process from number 1 again.
The choices in this form will adapt the rest of the fields of the work process form and choices regarding legal basis.
When you have filled a form of a data subject, it could look like this:
- The type you chose in the form.
- The ordinary information you chose will be green.
- The special information you chose will be yellow.
- The sensitive information you chose will be red.
- Edit the form regarding the data subject.
- Delete the data subject.
If you are data controller the form will show fields regarding legal basis, after you’ve filled out the parts regarding the different kinds of information. You must fulfill the legal basis of each type of information that is being processed.
- Legal basis: By clicking this field, an exhaustive list of legal bases will show.
- Specifying: Here you need to justify why and how the selected legal basis applies.
The same procedure follows for each type of information.
Please notice that when choosing the legal basis for sensitive information you must choose two legal bases.
Is the obligation to provide information met?
If you are data controller you must provide an answer to if the obligation to provide information is met. If you’re not able to submit the answer “yes” we recommend that you use the box below to describe why the obligation isn’t met or how it is met partially.
Are personal data transferred to unsafe third countries?
If you in the start of the form specified a data recipient that is placed in an unsafe third country, the data recipient will automatically get registered in this field.
Are data deleted?
In this field you must enter if personal data gets deleted again. By clicking on the field, a bar will show with different options. Generally, all personal data must be deleted when it does not serve a purpose keeping it.
In the field under you must enter when data will be deleted. For the sake of thoroughness, we recommend including a description of a deletion routine.
Who has access to data?
Here you must enter the persons in the organization that have access to the data.
Every work process must be covered by adequate organizational and technical security measures. This is how you submit which security measures your work process is covered by.
- By clicking on this field a list of security measures will show.
- If a security measure is missing from the list, you can add it by clicking here. This will open a form, that you must fulfill.
Form for adding a security measure:
- Title: Here you must write the title of the security measure.
- General: You can click on the icon to the right if it’s a general security measure.
- Responsible: Here you must enter the person responsible for the security measure. You can also choose to click on the icon ‘use account users’, and the field will change to a list over the users. It’s up to you, which option you choose.
- Description: Here you must specify the security measure.
- Attachments: In this field you can see and add attachments.
- Element: At the top of this field, you can see the elements of the security measure. Below the field you can add elements.
In the field ‘Comments regarding security measures’ you can enter security measures with directly association with the work process.
At the end of entering the security measures you must enter if the security measures are adequate. By clicking on the field, a list of different options will show.
Suggestions for improvement of the work process
In this field you can enter suggestions for how to improve the work process.
Completion of fulfilling the form regarding work process
At the end of the form, you can add files, by either pulling them into the field or by clicking ‘choose files’. When you click on ‘choose files’ a window will open, where you can find all documents.
When you have finished the form, you must click on the button in the right corner at the end of the form. It will say ‘Update’ if it’s a work process already created or ‘Create’ if it’s a new work process.
At the top right corner of the form there is a line of support features. The support features are given following icons:
- Access to send a work process to an employee, so that the employee through the link can edit the work process. This option could be relevant, when an employee only rarely has to edit the work process or if you want to limit what the individual can access of data in the portal.
- This is a shortcut to the process. When clicking the icon, it will turn green and save a shortcut in your clipboard. You can use this icon to send a deep link to another user of the portal.
- This icon is a log over all changes in the work process. In the log it’s possible to see which employee that has edited the different field of the form.