The Autoriteit Persoonsgegevens (AP) has launched an exploratory study to find out how well large organizations comply with the new European privacy rules. In a random sample of 30 large organizations from 10 private sectors, the AP is investigating whether they keep a register of processing activities. Does an organization have a register of processing activities and does it contain the right information? If so, the AP considers this an important first step by which an organization demonstrates that it takes privacy rules seriously.
Sectors
The AP is conducting the sample at the following ten sectors: industry and metal, waterworks , construction, trade, hospitality, travel organization, communications, financial services , business services and healthcare. The organizations are located throughout the Netherlands.
Register of Processing
Since May 25, 2018, new European privacy legislation, the General Data Protection Regulation (AVG), has been in effect. Part of this requires organizations to have a register of processing activities in some situations. The register of processing activities contains information about the personal data that organizations process and the purpose for which they process the personal data.
Organizations are required to provide the register if the AP asks them to do so. The register is mandatory for all organizations with more than 250 employees. Smaller organizations must have a register of processing operations if they meet at least one of the following criteria:
they structurally process data, for example, data about their employees,
they process data at a high risk to the rights and freedoms of affected individuals,
they process special personal data, such as data on religion or health.
