Are there GDPR solutions and templates for Article 30 (records of processing activities)?
The EU General Data Protection Regulation (GDPR) Article 30 states that each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. It then lists the information that must be maintained in the record.
Documenting your processing activities is important, not only because it’s a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the GDPR.
Preparing for Article 30 early in your compliance program can make the GDPR easier to follow, especially when it comes to working through other articles. You may want to consider collecting MORE, rather than LESS, information. While that may sound like an onerous process, it will pay dividends. It helps you to comply not only with Article 30, but also provides gdpr solutions for other articles such as;
· Article 7 (conditions for consent)
· Article 13 (legitimate grounds for lawful processing)
· Article 5 (principals related to processing of personal data)
· Article 13-2a (requirement to disclose retention period in privacy notices)
· Article 15-1d (information to be included in response to a right of access by the data subject)
What is a data processing inventory?
A data processing inventory reflects how the business processes data and starts with listing the processing activities and their purpose. A data processing inventory is aligned with how the business works, making it is easy for the business to engage.
The GDPR creates an opportunity for organizations to limit their data inventory. Organizations need an inventory of their data processing operations, instead of all their data holdings and detailed inventory.
Does Article 30 require a data inventory?
Regarding records of processing activities, many privacy officers seem to be under the impression that Article 30 of the GDPR creates a legal obligation for traditional data inventory or data mapping exercise. This is not the case. It is NOT a data mapping activity.
In addition, under the GDPR, you are no longer required to register your processing activities with local data protection authorities (DPAs). Instead, you are required to maintain a record of all your organization’s processing activities internally, and to make them available to supervisory authorities upon request.
Don’t get confused! Article 30 is not a snapshot in time of data holdings, nor is it a traditional data inventory. Article 30 is a DATA PROCESSING INVENTORY.
Recording your processing activities could alternatively be called an on-demand internal record.
Recording your processing activities may sound like a lot of work. However, our experience is that it is not too hard to create records for Article 30.
What information is documented for Article 30 (Data Processing Inventory)?
(a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative, and the data protection officer
(b) the purposes of the processing
(c) a description of the categories of data subjects and of the categories of personal data
(d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
(e) where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards
(f) where possible, the envisaged time limits for erasure of the different categories of data
(g) where possible, a general description of the technical and organizational security measures referred to in Article 32(1)
Natuvion’s Recommended Approach
It is worth taking the time and effort to document each processing activity at the individual processing activity level. For example, 'how do we pay employee wages', 'how does someone register with our site', 'how does someone enter a competition'.
Bear in mind that the same data sets, or components of the same data sets, might have multiple processing activities. Someone buying a product from an online ecommerce store will have their data processed to fulfil and deliver the product. They might also have their personal data processed by a CRM team for marketing purposes, as well as by your finance team for statutory accounting activity (** NOTE there may be different retention periods for each, which is particularly important when drafting privacy notices).
When gathering this data, consider completing the following fields in a template that we can provide to you (this template also helps you analyze the data to produce useful metrics)
- Legal entity and department;
- Process owner;
- Step by step process flow – from collection to disposal;
- Categories of data collected;
- Data subjects (e.g., employees, customers);
- Lawful grounds for processing;
- Volumes of data;
- Where data is stored (location);
- Where there is an European Economic Area transfer, what is the legal mechanism for this;
- Retention period (or to agree on retention periods where they have not yet been decided);
- Who has access to the data;
- Are there any data processors involved in the process (and who they are);
- If so, has information security due diligence been conducted;
- Check of the contract clauses to see if they meet Article 28 (Processor) requirements;
- Notes on security measures applied.
Note: There may be good reasons to record the specific data elements and the location of the data, even though this is not required by Article 30.
If you would like access to our "processing activities" templates, gdpr solutions or best practices for data collection or even access to our GDPR expert center, please contact Joanne.Lang@Natuvion.com or call +1(484)-680-5510.