The General Data Protection Regulations (GDPR) introduced a significant number of new standards, including new documentation requirements. GDPR Article 30 Records of processing activities addresses these requirements: “In their capacity as data controller, groups will be required to record how they process data and other aspects of their data processing activities.” Organisations must take careful note of these requirements. Although new procedures may be costly to implement, the fines for GDPR non-compliance are even more substantial.
Article 30 details the types of records the data controller (or the representative) must maintain. The list includes:
- Name and address of the data controller
- Name and address of the Data Protection Officer (if relevant)
- Name and address their representative
- Purpose of the processing.
- Information relating to transfers of data to non-EU countries or international
- Security methods used to protect transferred and stored data
- Estimated periods for which the data is planned to be kept before deletion.
Under GDPR, organisations are required to record a description of the categories of data subjects and the categories of personal data being treated. Therefore data controllers need to document (or otherwise physically record) whether they were processing health, financial, or another type of information, along with whether the owners of the data were employees, customers, or otherwise affiliated persons. Article 30 explicitly states that the records must be in writing. Paragraph 3 of Article 30 permits organisations to document records electronically.
A supervisory authority must be able to access the data controller or processor’s records upon request. Organisations should implement procedures such that these requests can be responded to promptly. Such systems may include software to enable searching, categorising, or cataloguing data. GDPR also grants individuals “right to be forgotten”, allowing individuals to request storage or processing firms to delete their data. The systems used by an organisation should allow for them to respond to these requests efficiently.
There exist some exceptions to GDPR’s documentation requirements. Small businesses (fewer than 250 employees) only need to comply with GDPR’s rules in certain circumstances. For example, small businesses that engage in systematic – “not occasional” – processing must record their activities in line with GDPR’s requirements. The same rule applies to small businesses that process some categories of data such as high risk or criminal data.
In summary, the types of data that much be documented under GDPR’s requirements includes:
- Name and contact details of the enterprise
- Name and contact details of Data Protection Officers, if applicable
- Name and contact details of any organisation that co-controls any of the personal
data being processed
- Name and contact details of representatives within the EU for organisations that are based outside of the EU
- Reason that the personal data is being processed, e.g. customer engagement
- Categories of data being processed, e.g. data subject’s relationship to the
- Type of data that is being processed e.g. health information or financial information
- Details of any party that personal data is shared with
- Details of any non-EU countries where personal data is transferred to
- Details of protections applied for exceptional transfers of data, outlined in Article 49
of the GDPR
- Retention details for different types of personal data
- Details of security measures implemented to protect personal data