GDPR Record-Keeping for Data Processing Activities

All the personal data your company collects must, under law, be kept private and safe. But how can regulatory agencies be certain that companies are upholding their customers' rights in this area?

Article 30 of the General Data Protection Regulation (GDPR) specifically deals with the need for recordkeeping on how, why, where and nearly any other question that addresses how your company processes personal data.

This article of the GDPR gives distinct outlines on what records you need to keep whenever processing private information, as well as how the records must be kept and the directive to make available any such records a supervisory agency requires.

The Importance of Recordkeeping

Without recordkeeping there would be no accountability for actions. There would be no way to hold anyone responsible for anything.

By implementing this legal requirement for recordkeeping, the GDPR is ensuring that all companies dealing with personal information in the EU can be held accountable for keeping personal data safe.

Consequences of Non-Compliance

There are severe penalties in place if your company fails to comply with GDPR standards.

Depending upon the specific area of non-compliance, infringements are classified as either upper- or lower-level. Most failures to meet Article 30 regulations on recordkeeping are a low-level infringement.

The fine for a low-level infringement is whichever is greater between:

  • €10 million, or
  • 2% of your company's worldwide annual revenue for the previous financial year

If your infringement is deemed a high-level, the fine is doubled to €20 million or 4% of revenue.

Benefitting From Data Processing Records

Complying with the recordkeeping laws under Article 30 of the GDPR does more than simply ensure you won't suffer fines or other consequences.

Keeping these records will allow your company to benefit in various ways, including:

  • Ensuring all necessary personal data has been collected.
  • Knowing how such information can be accessed within the company.
  • Being able to identify and solve issues with access to or use of the data.
  • Finding new, better ways to interact with and use personal data.

JD Supra article intro: Documentation under the GDPR - the ICO goes on the record

In short, keeping records is an important part of your company's growth, as I'm sure you're aware. So, following the GDPR's recordkeeping guidelines regarding data processing is beneficial in many ways, both direct and indirect.

Who Needs to Follow Article 30 Regulations

In general, all companies will need to follow some recordkeeping guidelines. However, if your company is small enough, your need to keep records regarding the processing of personal data will be less strict than larger organizations.

Under 250 Employees?

The GDPR stipulates that companies with fewer than 250 employees do not have to keep records on certain data processing activities.

Specifically, these smaller companies do not need to keep records on activities that meet all three of these guidelines:

  1. Are only occasional occurrences and not done on a regular basis,
  2. Are not likely to endanger any individual's rights or freedoms, and
  3. Do not involve data on criminal conviction or offences, nor data in certain special categories

Here are some practical examples of data processing activities and where they'd fall within the above guidelines:

  • The processing of personal data in human resource, sales or claims departments needs to be recorded because it is regular data processing.
  • Occasionally assessing the insurance-risk classification of customer needs to be recorded because the information involved in such an assessment can be considered a risk to a customer's rights or freedoms.
  • Processing data on employee health and ethnicities for equal opportunities purposes needs to be recorded because such information falls into a special category determined by the GDPR.
  • An infrequent assessment of your staff's engagement with the company's culture does not need to be recorded because it is not regularly done, involves no intrusive information and the data processed does not fall into any special categories.

Special Categories Of Information

Article 9 of the GDPR defines the special categories of data that you must always record when processed, no matter your company's size.

These categories are data involving:

  • Race or ethnicity
  • Political standing
  • Beliefs either philosophical or spiritual
  • Membership in a trade union
  • Health data
  • Sexual activity or orientation
  • Biometrics or genetics

What Information Needs To Be Recorded and How

Article 30 gives clear directions for what records need to be kept when data is processed. Such records must be kept in written format which can be electronic or on paper.

Your business would most likely benefit more from electronic recordkeeping due to the ease of updating, searching, adding to, etc. such a system.

The Information Commissioner's Office (ico.), the regulatory office which oversees the GDPR, has developed and provides templates which your business can follow in recording your data processing activities. There's a separate template for controllers and a separate template for processors. They are available towards the bottom of this page.

Controllers and Processors

Under GDPR guidelines there are distinct differences drawn between controllers of data and processors of data, including what responsibilities you have to record data processing activities as either one.

In Article 4 of the GDPR, controllers are defined as:

"the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law"

Processors are defined as:

"a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller"

Controller and Processor Records

Whether you are a controller or processor of personal data, some recordkeeping will be necessary. However, controllers are required to be more in-depth when documenting their data processing activities.

When controllers conduct data processing activities they need to maintain a record which documents all of the following information:

  • Contact details including the name of the data controller, even if the controller is your own company.
  • When applicable, contact details for the joint controller of the data, the controller's representative and/or the data protection officer.
  • Your purpose in processing the data.
  • The category or categories of the subject(s) of the data.
  • The category or categories of the personal information processed.
  • The category or categories of any recipients with whom the information has already been or will be shared.
  • If applicable, that personal data was transferred to a different country or international organization, and if it was, the identity of said country or organization.
  • In the cases of special transfers of information referred to in subparagraph two of GDPR Article 49(1), what suitable safeguards you took for the data.
  • Proposed time limits for the erasure of the category or categories of information the data falls under, when possible.
  • If possible, a general description of the organizational and technical security measures listed in Article 32(1) used by your company to protect the personal data.

The records kept by your company if you are only the processor of the data must include:

  • The name(s) of the processor(s) of the data, including your own, and the names of the controllers on whose behalf you are processing the data.
  • If applicable, the names of any processors' or controllers' representative and the name of the data protection officer.
  • The category or categories of data processing activities done.
  • Any transfer of data to an international organization or different country, and their identification, where applicable.
  • Documentation of safeguards for any data transfers falling under Article 49(1), subparagraph two.
  • Whenever possible, documentation of your company's technical and organizational security measures for personal information, as noted under GDPR Article 32(1).

As you can see, the necessary recordkeeping for data processing activities is much greater for controllers of data than for processors, but in both cases the GDPR takes care to outline exactly what needs to be documented, keeping the stress on your business as minimal as possible.

Advice For GDPR Article 30 Compliance

Taken as a whole, the idea of making your business comply with Article 30 recordkeeping guidelines may seem daunting. My advice for you is not to look at it as one big step you need to take, but as several smaller measures that will, together, benefit your company and help to ensure your compliance with the GDPR.

Define Yourself and Your Activities

The first step to properly maintaining records of your data processing activities is to make certain you know exactly what records your company will need to keep.

If your company employs fewer than 250 people and only rarely processes personal data, you may need to maintain very few records for the GDPR.

Be certain you know if the data processing activities you company undertakes involve any data that may risk an individual's rights or if the information falls under one of the special categories mentioned earlier, as there always needs to be records on data processing in these cases.

You will also need to be certain if your company is acting as the controller of the data you process, or if it is the processor of the data on someone else's behalf, as this changes what information you need to document.

Use or Create a Recordkeeping System

All businesses keep records. It is essential to their growth and success. If your business already has a good, adaptable record keeping system in place, you may be able to easily modify it to document the necessary recordkeeping on your data processing activities.

If the system you already have is not going to be able to maintain a proper record of your data processing, you will need to create one, but this is not a terribly difficult task. The templates mentioned before are relatively simple and can easily be used as a part of your recordkeeping system or used as a base of what yours may look like.

Ensure Compliance

Once you know what information you need to keep and have a system in place to make documenting that information efficient and smooth, you should go back over everything one last time, just to ensure GDPR compliance. After all, you don't want a fine of €20 million or %4 of your company's revenue made the last year!