To say it is to answer it. In general, every company or organisation, including yours, must keep a register of its processing activities. Some refer to this as a data processing register, but in our Humidor we call it a data register. The name is not important. The fact is that you must have one.

A data register is an inventory of all personal data processing activities and helps you to correctly assess your responsibilities under the GDPR and the risks associated with them.

All processing activities must be described in such a data register, with the following elements being crucial:

• The purpose of the processing (e.g. building strong customer relationships)
• The categories of data processed (surname, first name, address, etc.)
• Who has access to this data within the organisation/company?
• If you share personal data outside the EEA (European Economic Area), this must be stated
• What is the retention period?
• What security measures have been taken to protect this personal data?

For smaller organisations with fewer than 250 employees, the obligation to have a data register is limited to non-incidental activities. However, please note that the law defines incidental activities as, for example, the spontaneous opening of a shop for which a few addresses are quickly collected. As soon as you start storing personal data on a regular basis, which applies to almost all organisations, this is no longer incidental and you must have a data register.

The data register is always the responsibility of the manager of your company or organisation. As a rule, this is the manager or the general director for smaller organisations.