With the new General Data Protection Regulation (GDPR), companies that process data will need to ensure they have detailed records of what they’re doing with data.
Article 30 says: “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.”
The GDPR will see the end of any distinction between internal and external records. There is now only one kind of record-the internal record- which has to be made available to supervising authorities upon their request.
In extreme cases, failure to meet the requirements of the GDPR could see your organisation face a fine of up to €20 million or 4% or annual global turnover – whichever is higher.
Controller or Processor
If your organisation is the one that decides what purpose data is being collected for, or how it’s being collected, then your a controller of data.
However, if you are doing the processing on behalf of another organisation then you are a data processor. It is likely that your organisation is both a controller and processor.
The new GDPR regulation has a stringent set of requirements to follow for both data controllers and data processors. It states that you must record:
1) Your organisational details, and the contact details of your Data Protection Officer. Additionally, if your company is not within the EU, then you must provide details of your designated representative in the EU
2) A description of the security measures you have in place to protect data. This includes both technical security measures, such as encryption, as well as organisational security e.g. Internal restrictions on who has access to which parts of the network
3) For data transfers outside of the EEA, organisations will need to document where data is being transferred to and the safeguards in place to protect that data.
Article 30 – What does it mean for the Controller?
If your role is to act as the controller then the onus is on you to determine the purpose of the data processing.
You will also need to record the types of people whose data you’re working with, and the types of data you’re working with, which will inevitably differ dependent on the nature of your business.
If you’re a controller then you will also need to record the types of recipients to whom you will be disclosing data. It is also the controller’s responsibility to document the length of time you plan to keep each category of data before it is erased.
Article 30 – What does it mean for the Processor?
If you’re the processor then you are going to have to deal with the documentation of data. You will need to record:
• The names and contact details of the controller for whom you are processing data
• The details of the controller’s DPO (if they have one) and their representative if they’re not EU based.
This may not sound too taxing, but you must bear in mind that the average processor e.g. a marketing agency would be processing data on behalf of numerous clients. These details must also be recorded for each controller on behalf of whom the processor is processing data.
Additionally, processors need to document the different categories of processing being carried out on behalf of each controller. The GDPR defines processing as: ““any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
With so many variables you can see how this can become a complex problem quite quickly.
What else do you need to know about Article 30?
Many are unprepared for this level of data protection compliance. They will quickly need to adopt mature privacy guidelines that can audit processing activities across multiple departments, businesses and markets.
You must have a record of all data processing, whether or not the data is in written or electronic format, and it must be available to your local supervisory authority when they require it.
Preparation for Article 30
Relevant business function and third-party data processing activities need to be identified and a Personal Data Register should be created. Your privacy policies and notices should be updated and internal personnel should be brought up to speed with GDPR as it relates to their specific job title.
In a wider context, the core of GDPR lies in its emphasis on accountability. A chain of accountability should be established at a department, company and organisational level in order to maintain consistent handling of incidents, operational processes and reporting activities. You can read more about the importance of accountability in our previous blog here.
If you’d like additional help with your GDPR project you can visit us on one of our stops as part of our GDPR for Dummies roadshow, which will be coming to a city near you soon. Register for the free breakfast briefings here.
We’ve also created MetaPrivacy – a GDPR solution that is specifically designed to help your business deal with Article 30. For more information on MetaPrivacy and our other GDPR resources, visit here.