Record-keeping should be nothing new to privacy-aware companies, but under the GDPR it will mandatory for most businesses. It may seem like a nuisance and excessive red tape, but they will also provide you with a deeper understanding of how the data is being used and why – in addition to satisfying all the regulatory requirements.
This article is a short overview of the most important rules for record-keeping. For a more detailed analysis, read our guidelines here.
1. Everybody Should Keep Them
The obligation to keep records now extends both to the data controllers and mere processors. Basically, both the controller and third-party, outsourced data processing companies will have to keep the same records on hand.
The Belgian DPA, however, considers it sufficient that either of them keep records if they can obtain and present them quickly to the regulators when requested. That is a big ‘if’, and we urge all companies to keep track of their own processing activities. Records are the most important method of proving compliance, and it would be unwise to say the least to rely on someone else entirely.
2. Electronic or Written
Processing records need to be kept either in written or electronic form. Most will opt for electronic record-keeping. We advise you to implement a centralised database of records instead of simple Excel spreadsheets. The initial setup will require some effort, but it will pay dividends in easy organisation and entry in the future.
The database will also be safer and allow for easy search and access to the desired records. The risk of accidental deletion is also reduced. However, ensure that proper authorisation and access controls are enacted. Do not allow everyone access to make changes to the database.
3. Minimum Content
Your data processing records don’t have a prescribed form you should adhere to (though recommendations by the supervisory authorities will be issued), the content thereof is precisely defined. Your records should contain at least the following:
- contact details of a person within the organisation
- purpose for processing, explained in detail
- categories of personal data used
- special categories of data (sensitive data), if any
- existence of data transfers to third countries
- retention periods
- overview of security and technical data protection measures
- any additional information, if deemed necessary
4. Relaxed Provisions for SMEs
Small and medium enterprises are given some leeway when it comes to record-keeping. Since record-keeping is administratively expensive and could potentially hit smaller companies harder, in the name of equal competition, the lawmakers decided to allow SMEs not to keep records if they satisfy all of the following conditions:
The processing must be occasional – it must not be a core business operation of your company – and it must not encompass protected categories of data. If you process lots of data, if processing would result in considerable risk to the rights of individuals or employees, or if any piece of data you process is sensitive, you must make records of such activities.
In particular, processing of employee data – such as worker evaluations or health information – is considered protected and requires its own record. Bear this in mind during your processing activities, since the relaxed provision is not a ‘get out of jail free card’.
We still recommend you to keep records, since records are an excellent way of proving you are GDPR compliant.
5. A Record for Every Purpose
You do not have to create a separate record for each processing activity, as long as the activities are performed for a single purpose.
Put simply, several processing activities can be ‘bundled’ and described with a single record, if they share a common purpose for processing. You can use this to your advantage to reduce the number of records you have to make. Be careful, as this may not simplify them. It is definitely not a mistake to make separate records for each activity as well.
These regulations can be daunting, especially for smaller companies. It can be difficult to know for certain whether the record-keeping is up to par, and finding out can be costly if the supervisory authorities decide to impose a fine.
A data protection officer is essential for ensuring a smooth and safe operation of your company’s privacy matters, including record-keeping. Larger companies will have to hire one, while smaller companies can reap the benefits of an outsourced DPO, which markedly reduces costs. It’s easy to make a wrong step, but with guidance from an expert DPO, the path towards compliance is straightforward.