What is a processing register and how do I build one?
A list per processing activity: what data, what purpose, how long, who shares it. Mandatory under GDPR Art. 30; the under-250-staff exemption falls away as soon as processing is structural or high-risk, which is essentially always the case for SMBs handling customer data.
Try this first
- 1Open a sheet or use the AP template. One row per processing: name, purpose, types of subjects, types of data.
- 2Add the retention period and the legal basis (consent, contract, legal duty, legitimate interest).
- 3List recipients per processing: HR tool, accounting, mail provider, external parties. Non-EEA countries separately.
- 4Describe the security measures at a high level: MFA, encryption, access control, backup.
- 5Review every six months or whenever a new tool comes in. The register need not be public but must be available on request to the AP.
When to bring us in
Processing special-category data (health, BSN, biometric) across multiple systems often needs a DPIA on top. Happy to scope it.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.