GDPR Article 30: It’s all about the documentation
Author: Clarip Chief Privacy Officer
There has been much consternation and confusion about Article 30 of GDPR, what it means and how to comply with this mandate. To add to the uncertainty, there is wide interpretation of what this mandate means and even how it is described. The closer we get to the GDPR enforcement date, the more Article 30 seems to take new meanings and terminology. Terms such as data map, index or processing index are sometimes used without a clear description of what is meant or why it may be preferable to the actual terminology of GDPR.
What exactly does Article 30 require?
Let’s step back for a moment. The language of Article 30 requires controllers and processors to keep records of their processing activities. Of course, it is implicit that an organization first needs to get an accurate handle on the processing it conducts itself and the processing conducted externally at its direction.
Under Article 30, the record of such processing is set forth and should include specific information such as a controller’s and its representatives’ relevant contact information, purposes of processing, categories of recipients, transfers to third countries and international organizations where applicable, time limits on retention and security measures implemented. Similarly, each processor must maintain the same types of records and show categories of processing and the controllers on whose behalf the processing is carried out. Now under each of these broad categories, there are certainly details that need to be identified and included to create the organization’s complete record of processing activities.
What is meant by documentation?
Documentation refers to the records of legitimate business needs and purpose for data, processing activities conducted and data sharing and other processing. In addition to the needs for documentation related to GDPR compliance, solid data governance also relies on proper documentation to achieve a level of knowledge and management around data management.
(This just isn’t going to cut it)
A more practical approach:
Focus on the substantive categories of documentation noted under Article 30 rather than detailed graphics that are often general thought of as data maps.
• Describe, in writing, the categories of information you maintain.
• Include the purposes for which you use data.
• Show how the various data categories are shared and connected within your systems.
• Don’t forget your paper files; GDPR is not solely limited to electronic systems.
• Use technology to make this process easier, faster and more accurate. This very important and often ignored aspect of all this is that technology solutions must be considered to make this task more manageable and thorough.
• This information should be documented in a way that can be easily updated as your processing activities and business needs change.
Remember, start with the language of GDPR itself and take advantage of the templates and information released by data protection authorities, but don’t fall into trap of assuming that Article 30 automatically translates into a data map.
More from Clarip:
Are you ready for the new CA privacy law? Start preparing compliance efforts with Clarip for the California Consumer Privacy Act. Enforcement starts January 1, 2020 so better start planning funding in your 2019 budget now.
Learn more about the GDPR consent management and data mapping software.
More Blog Posts on GDPR:
GDPR for Small Businesses Under 250 Employees
No Further Grace Period for GDPR Enforcement
The 10 Key Requirements of the GDPR
Germany Demands More From Facebook on GDPR
Security Requirements Under GDPR: More Than Meets the Eye