25 May 2018, when the GDPR enters into force, will be a very stressful time for many organizations – unless they ensure they are doing everything right, and this includes record keeping.
Records of Processing Activities
Article 30 of the GDPR deals with record-keeping. All the provisions and requirements are clearly laid out there, so this is one of the provisions of the GDPR where there is little to no ambiguity, which is very fortunate. It may seem like a nuisance and excessive red tape, but record-keeping will also provide you with a deeper understanding of how the data is being used and why – in addition to satisfying all the regulatory requirements.
However, the record-keeping that is required is very extensive. Both data processors and controllers must keep records of their activities, though there are dissenting opinions. The Belgian DPA, for example, opines that it is not necessary for all of them to keep records; as long as they are able to quickly present them when required, the party that has been doing the processing should keep them on hand.
Still, it may be prudent to still keep a copy for own reference, as record-keeping is essential for demonstrating compliance with the GDPR. The organizations must provide these records on request to the supervisory authority without exceptions.
The records have to be kept either in written or electronic forms. Your organization should implement a centralized storage of records, with perhaps a database instead of Excel spreadsheets. The records are not country-specific, at least in theory. The countries could ask for additional details to be recorded, however.
Unlike in the present, where disclosure of records is sometimes public, the GDPR stresses that records are internal documents and companies do not have to publicly disclose them.
What the Records Should Contain
Records must contain all the required details about your organization –contact details of the data controller, data protection officer and the controller’s representative.
Your records should contain at least the following:
- contact details of a person within the organisation
- purpose for processing, explained in detail
- categories of personal data that are processed
- special categories of data (sensitive data), if any
- existence of data transfers to third countries
- existence of data belonging to minors
- retention periods
- overview of security and technical data protection measures
- a list of categories of recipients of personal data
- any additional information, if deemed necessary
Data cannot be used for any other purposes than those listed in the consent form. The purpose should be described in detail whenever possible. Records must contain the list of categories of recipients who do not need to be identified by name, but it is good practice to do so.
A single record can be used to describe several processing activities as long as they share a purpose for processing. This can reduce the number of records you have to keep, but beware – it might not make them simpler at all!
If any transfers of personal data to third countries take place, this must be documented and records must include the identification of the recipient organization. Proper safeguards that have been taken must also be listed. Keep in mind that your organization must inform the supervisory authority if transfers have taken place without adequate security measures. These can occur only very occasionally and on limited amounts of data.
Time limits for the erasure of data should be listed, but it is not necessary that they precisely state the retention period in months or years. Other parameters are acceptable, such as ‘for the duration of the contract’ or ‘for as long as the performance of services takes place’ or similar.
Records should also contain a general overview of technical and security measures taken to protect the data. Other additional information can be outlined if the organization wishes to, however all the data will be visible to their supervisory authority, so they should proceed with caution.
Data processors only have to mention the details of the controller, processor and their DPO, the categories of processing, any international transfers that take place and an overview of the security measures. They do not record the purposes or the time limits for the use of data.
Substance over Form
There are no provisions regarding what data records should look like exactly and how detailed they should be, but German DPAs have been developing a processing model that should help organizations ensure compliance. As of yet, it still has not been completed. Other supervisory authorities may develop their own templates for use, which would be very practical for companies, especially SMEs who have an obligation to report.
Derogations for SMEs
The lawmaker was obviously aware of the burden such comprehensive processing would have on the ability of the SMEs. They would have to cope with a significant administrative load and increased expenses, which would put them in a very precarious position.
SMEs are companies or organizations employing less than 250 people. They do not have to maintain records of processing, but only if the processing they perform is occasional and if it does not involve sensitive and protected categories of data. If it does, record-keeping is mandatory, no matter how occasional.
Occasional processing means that data processing is not one of the core businesses of the company, and such processing should be unforeseen, and unlikely to occur regularly and predictably. Still, it is strongly recommended that SMEs try to keep records whenever possible, even when not required by the GDPR.
In particular, processing of employee data – such as worker evaluations or health information – is considered protected and requires its own records.
Organizations in violation of the record-keeping practices stand to receive a penalty of up to EUR 10 million or 2 percent of their global turnover, whichever is higher, depending on the severity of the transgression.
It is obviously more cost-effective to keep records up to par than to pay fines, and these records carry an additional benefit, in that they make it easier to ensure that the company is compliant with other GPDR provisions. Good record-keeping practices also enable the management to control exactly what processing is taking place and for what purposes. For large organizations, this can bring about reductions in cost as it may turn out that the same data is being used in much the same manner across the company. This in itself is a good enough reason to establish good record-keeping practices, independently of the GDPR.
Guidance from an expert DPO can help your company adapt and introduce the new mechanisms in a straightforward way and reduce the costs associated with ensuring compliance.