Article 30, GDPR and documentation - what you need to know
Article 30 of the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, states that data controllers and processors need to keep internal records of data processing activities.
The Information Commissioner’s Office has published detailed guidance on these record-keeping requirements.
Data processors will be required to maintain a record of all categories of processing activities carried out on behalf of a controller, in addition to the current requirements for data controllers to provide detail of processing activities, when they register with the ICO.
The ICO has said that keeping these records will provide an assurance as to an organisation’s approach to data, including the “quality, completeness and provenance” of personal data.
They’ve also said they believe it will help organisations to develop more effective and streamlined business processes.
Most importantly, keeping records will help organisations to demonstrate that they are complying with GDPR, more generally.
What data needs to be recorded and by when?
Data controllers must record:
name and contact details of the controller and (where applicable) the joint controller, controller’s representative, and the data protection officer;
purposes of the processing;
categories of data subject and personal data;
categories of recipients to whom the personal data has been or will be disclosed;
transfers of personal data outside the EEA and the safeguards in place (if applicable);
envisaged time limits for erasure of different categories of data (where possible); and
a general description of the controller’s technical and organisational security measures (where possible).
The information that a data processor is required to keep are similar to, but not as extensive as, those for data controllers. At the moment organisations do not have to proactively provide this information to the ICO, but it may be necessary to make it available on request, for example, for an investigation.
And, most importantly, not only does all of this need to be in place by 25th May but the ICO recommends you review it, on a regular basis, to ensure things remain accurate and up to date.
Does everyone have to do this?
In short, yes. Whilst there is a notional exemption if you have fewer than 250 employees, this only applies if your processing activities:
are unlikely to result in a risk to the rights and freedoms of individuals; or
do not involve special category data or criminal conviction and offence data.
In practice, this is unlikely to have much application.
If you have an existing governance framework in place, that might well be enough, as long as it includes all of the information specified in Article 30.
If you don’t have any record-keeping practice in place though, the ICO has suggested you follow a three stage process:
Ask - ask each area of your organisation, that processes personal data, why they use personal data, how long they keep it and with whom they share it;
Meet - meet with the key areas of your organisation so you can gain a better understanding of how data is used by each; and
Locate & Review - this means policies, procedures, contracts and agreements.
Actually, there’s a fourth step. Records need to be in writing (electronic or paper), in a granular and meaningful format. Once again the ICO has been helpful in setting out templates for doing this.
If you would like help with this or preparing for GDPR in any other area, please contact Piers Clayden.