All persons that are involved with the use of personal data should be added to the compliance database. A person must be assigned to a department and a department role so that the compliance database's information can be properly structured. There are two types of person:
•Responsible persons: A responsible person is assigned to a processing activity and is responsible for: (i) how it works, (ii) determining who has access to relevant data, (iii) any other matters related to the processing activity. These are the persons who are relevant for GDPR conformance reports. They are assigned to department roles.
•Users of personal data: This information is not relevant for GDPR conformance reports but provides a convenient overview of the roles of persons in each department; it also indirectly indicates—via associated processing activities—to which data these persons have access. Just as for responsible persons, users are assigned to department roles.
If a department role is assigned to a processing activity, it means that the persons in this department role will have access to the data used by the processing activity. In the compliance database, the description of a department lists each department role together with the persons assigned to the respective department roles (see Departments).
If (i) a person in the Accounting department is assigned to that department's Salaries role, and (ii) the Salaries department role is assigned to the Employee Salaries processing activity, then that person has access to the data used by the Employee Salaries processing activity. If, additionally, this person is defined as a Responsible Person of the Employee Salaries processing activity, then this person is accountable for the Employee Salaries processing activity and protection of the data used by Employee Salaries.
In our example, we create six persons and assign them to six different department roles (see screenshots below).
Create/edit Person information
To create/edit Person information, do the following:
1.On the Overview page, click Configure.
2.On the Configuration page that appears, click the Manage button of the Persons item. The Persons page (screenshot below), which lists all the defined persons of the entire organization, is displayed.
3.To create a new person, click New Person. To edit a person's information or delete a person, click the person's Edit or Delete icon, respectively.
Edit Person information
When you click New Person or the Edit icon of a person, the individual person's screen is displayed, in which you can edit the person's information (see screenshot below).
A Person item has the following properties:
•Department: Select one from existing departments, or create and select a new department
•Role: Select one from existing roles of the selected department, or create a new role for the selected department and select it.
•Email and phone: These are optional.
•Data Protection Officer: A data protection officer is a designation that indicates persons who are responsible for designing and maintaining data protection processes for data.
Click Save when you finish. In the department's description, this person is now shown as being assigned to that department role.
|Note:||If a person is responsible for a certain processing activity, then this is defined as a property of the respective processing activity.|
Relationships with other metadata
A person has the following relationships with other metadata:
Which sets up...
The department to which a person belongs.
The department role to which a person is assigned. A person is then displayed reflexively in the respective department role.
It can be selected for...
Which sets up...
Which persons have responsibility for the processing activity. Once a person is selected, the processing activity appears reflexively as part of the information about the person.