Note: This is the eleventh post in an ongoing series on GDPR. We’ll be preparing you all the way to May 2018 on topics like: Privacy Protection and Breach Notification, GDPR Compliance Strategies, GDPR Enforcement and Penalties, Potential GDPR Costs, GDPR Auditing and more. Subscribe using the button on the right and you’ll be updated when we post a new article.
GDPR Record Keeping
We are down to the last days in which organizations operate outside of enforcement of compliance with the European Union’s (EU) General Data Protection Requirement (GDPR), 25 May 2018. Over the weeks throughout this series we have touched on many topics related to GDPR. Today we will discuss one of the more work intensive areas of GDPR which may cause the most change for organizations. Today’s topic is Record Keeping. Many times businesses are focused on doing the work they do and documenting the work being done is secondary or not even thought of. Record keeping under GDPR will be a drastic requirement for many organizations.
Record Keeping requirements expected by GDPR are outlined in, Article 30; Records of processing activities. The Article is broken down into four main areas: Requirements for Controllers, Requirements for Processors, the requirement for documentation in writing and electronically, and the requirement to make the records available to the supervisory authority upon request.
Both Controllers and Processors, or their representatives, have the same requirements as it relates to documenting transfers of data to third countries or international organizations to include the identification of where the data was transferred, and in certain cases outlined in other articles of GDPR documentation of suitable safeguards for those transfers. Controllers and Processors also share the same requirement to document a general description of the technical and organizational security measures. For Controllers they are required to maintain documentation of: name and contact details of the controller and/or joint controller, controller’s representative, and the data protection officer, purposes of processing, description of categories of data subjects and categories of personal data, categories of recipients of data disclosure, and where possible the time limits for erasure. For Processors, they shall document: name and contact details of the processor and each controller for which they are processing data for, the controller’s or processor’s representative, and data protection officer, and finally the categories of processing carried out.
The final part of Article 30 is an exemption for small organizations classified as employing fewer than 250 persons. This exemption is not applicable if the processing is likely to result in risk to the rights and freedoms of data subjects, the processing is not occasional, or processing includes special categories.
Article 30 of the GDPR only fills up one page of a document. However, the effects it will have on organizations will be far reaching and have a great impact. Under GDPR data subjects will have more rights for who has their personal data and to know what reasons and potential processing will happen to their personal data. More importantly businesses and organizations simply must have awareness of GDPR and what steps will have to be taken to be in compliance and accountable for their actions. Documentation will be a big part of remaining compliant with GDPR and businesses MUST document their processes and have that documentation available when requested.