+375 29 142 27 19

Internal Control over the Processing of Personal Data

In the digital age, personal data protection is becoming one of the main tasks for companies that deal with many individuals and the personal data of job candidates and employees. Internal control over the processing of personal data refers to the critical functions of the Personal Data Protection Officer (DPO). In this article, we will look at how the DPO exercises internal control over the processing of personal data and highlight the key steps that help it in this critical role.

DPO functions that are related to internal control over the processing of personal data

It is impossible for the DPO to perform its vital function of internal control over the processing of personal data without performing other functions, in particular:

  1. Analyzing the processes of processing personal data and determining the risks of these processes.
  2. Development of documents on the processing of personal data and their timely updating.
  3. Consultations on personal data issues for managers and interaction with authorized persons.
  4. The company’s employees should be familiarized with the requirements for protecting personal data and the company’s internal documents regarding processing personal data.
  5. Organization of training for employees who process personal data, control of knowledge on personal data processing.
  6. Participation in considering complaints from individuals regarding the processing of their data.
  7. Interaction with the National Center for Personal Data Protection.

Actions of the DPO after appointment to the position

After being appointed to the position, the DPO usually conducts internal control over the processing of company personal data. To do this, the DPO can act sequentially according to the plan (step-by-step sequence). For example:

Step 1. Evaluate the effectiveness of the chosen method of processing personal data.
The DPO can define a period (for example, a calendar year or other period) during which it will monitor the processing of personal data in all company departments.
Step 2. Analyze the business processes related to the processing of personal data.
When implementing this step, it may be necessary to draw up the procedure for interacting with the company’s departments in processing personal data (the register of personal data processing). In this document, you can define, in particular, the processing processes and the departments that carry out these processes. It is also logical to determine the purpose of processing for each process, the list of categories of processed personal data, the source of their receipt, and the shelf life.
Step 3. Prepare draft documents or check documents
At this stage, the DPO prepares draft documents that define the policy of the operator company or an authorized person for the processing of personal data or check these documents for compliance with the requirements if they are already available in the company. The DPO also checks that an unlimited number of individuals have access to the policy.
Separate policies may be necessary for different business processes related to personal data processing. For example, individual policies can be developed regarding processing employees’ personal data, video surveillance, and cookies. 
In the policy(s), it is necessary to clearly (for example, in the form of a table) indicate the ratio of the goals and grounds for processing personal data, subjects of personal data, a list of personal data and processing time.
The access of an unlimited number of people to the policy is justified when the policy concerns the processing of personal data of site visitors, service users, etc. This policy is posted on the company’s website.
The company’s employees’ data processing policy does not need to be posted on the company’s website. It is enough to familiarize employees with it, which is done by publishing it in public places, including online.
Step 4. Check whether employees and other persons who process personal data are familiar with the requirements for their protection, with the policies, and whether training has been conducted
They introduce the requirements for protecting personal data, policies, and measures of responsibility for violations in processing employees’ data, as well as interns and contractors.
Employees who process personal data are usually trained in the company itself. However, this can also be done in organizations like the National Center for Personal Data Protection.
After training, the company usually conducts a knowledge test in a way that the company defines. This can be, for example, a test or an interview.
Step 5. Check whether the official duties of the persons who process personal data are supplemented with provisions on the processing of personal data, on disciplinary liability during processing
They check whether the job descriptions of persons who directly process personal data contain provisions stating that they must comply with the requirements for processing personal data established at the state and company levels.
Step 6. Is the procedure for accessing personal data defined
The procedure for accessing personal data can be a single document or several when the company has adopted separate, non-overlapping business processes for processing personal data. For example, when processing personal data in information systems during video surveillance, there may be several documents on the procedure for accessing personal data.
Step 7. Is there technical and cryptographic protection of information
Suppose the company owns information resources that contain personal data. In that case, it is necessary to check whether the list of such resources and the categories of personal data in these resources are kept up to date.
Step 8. Is the list of authorized persons established and up-to-date, if any
The list of authorized persons is often kept in a table, which lists, in particular, authorized persons, the personal data they process, and the purposes of their processing.
Step 9. Is it required to enter information in the Register of Personal Data Operators
Companies with information resources and systems where personal data is processed do not always enter information about these resources and systems into the Register of Operators. You need to enter information in the Registry only in some instances:

  • In cross-border transfer of personal data, when the required level of personal data protection is not provided in a foreign country.
  • When processing biometric and genetic personal data.
  • When processing the personal data of more than 100 thousand individuals.
  • When processing the personal data of more than 10 thousand individuals under 16.

Step 10. Check how information about transferring personal data to third parties is recorded.
Recording such information helps provide individuals with information about the processing of their data. Usually, tables are kept in electronic form for this purpose, logging systems in electronic resources. From these sources, it should be clear to whom, when, and on what basis the operator company transferred personal data.
Step 11. Has the procedure for responding to incidents of violations in the protection of personal data and notifying the National Center for Personal Data Protection been defined
The operator must notify the National Center for Personal Data Protection of violations of personal data protection systems immediately, no later than three working days after the operator becomes aware of the violations.
If the violation was not followed by the illegal dissemination of personal data, modification or destruction of them, you do not need to send a notification.
Step 12. Is the procedure for storing, deleting, and blocking personal data defined
Deleting personal data includes actions to destroy data carriers or actions that result in the inability to restore personal data in an information resource (system). The deletion order depends on which media the personal data is stored on. When determining the retention period of personal data, the state must guide the process by establishing document retention periods.

How to determine if enough has been done to protect personal data

Following all the steps may indicate that the processing of personal data in the company generally meets the established requirements. However, there is no single approach for all operating companies. Each company has its risks; therefore, when internal control over the processing of personal data is exercised, it is necessary to compare the measures taken to protect personal data with the risks inherent in this particular company. This approach is called a “risk-based approach”. 

With internal control over the processing of personal data, the DPO can detect risks in individual business processes. Verification by the National Center for Personal Data Protection and complaints from individuals regarding the processing of their data can also identify risks.

Based on this information, the DPO informs the company’s management about the risks of processing personal data and suggests measures to minimize these risks in addition to the existing measures to protect personal data.

How can we help organize internal control over the processing of personal data?

Our lawyers and information security specialists are experienced specialists in internal control over processing personal data and protecting information about personal data.

We can: 

  1. Advise you on implementing internal control over the processing of personal data.
  2. Conduct an internal audit of business processes related to the processing of personal data and make recommendations on how to organize personal data protection in the company.
  3. Analyze the business processes for processing personal data and propose the best way to organize internal control over their processing.
  4. Develop job descriptions for persons directly processing personal data and for DPO.
  5. Develop a package of documents on internal control over the processing of personal data.
  6. Represent your interests in government agencies.

Contact us

If you have any questions or disputes regarding internal control over the processing of personal data, we will be happy to help! Our long-term experience in divident payment will help you resolve any disputes in this area.

  • +37529366-44-77 (WhatsApp, Viber, Telegram);
  • info@ambylegal.by.

Contact us

    Message