If your company do any process on personal data within GDPR scope then you need to have detailed record on all of the activities. All of those are regulated under GDPR Article 30 record keeping which you need to comply especially for company in Europe.
What is GDPR Article 30 record keeping?
GDPR Article 30 record keeping defines all of the requirements needed to record different types of activities that process data. This regulation will most likely apply to your company as it has broad applicability. Thus, if your company want to get GDPR certification, you need to see how your system move data on every process by following the data.
Through article 30 all company must create record for all of the processing activities. This record is created for the regulators so they can see how you handle the data and make sure that it complies with GDPR regulation.
So, it is important to not only focusing on the data elements itself since you may overlook a lot of things that required by GDPR. It is important that the record you create should show how and why those data is processed.
Who the Regulation Applies to?
Generally, GDPR applies to all company within EU region especially those that looking to be certified. Article 30 further define this as any organization or company that have size larger than 250 employees. If your company size is smaller then you only need to document certain processing activities which:
- Not occasional such as things that you do rarely or something that you do more than once
- Most likely have impact that will risk the freedom and rights of the individual
- Involving offence and criminal conviction data or special categories data which already explained further in GDPR articles 10 and 9.
Complying with GDPR Processing Activities
To maintain compliance with GDPR it is important for the company to keep record on how the personal data process as well as the intention and nature of the processing activities. The authority that monitor and supervise your company anytime might demand to see the record that show the processing activities.
It is important to note that your company is obligated providing comprehensive record which include detailed document. The responsibility of recording the processing activities lies upon both the company who act as controller or as processor.
The record itself should be put in writing which also include electronic writing form. Both of the company who act as controller or as processor as well as the representatives should provide the record for the authority who survive and manage them upon request.
The record might be used to monitor the operation of processing activities to make sure that they comply with GDPR Article 30 record keeping. The record that need to be documented will be further explain below for when your company act as controller or when your company act as processor.
What Record Is Required to Be Documented by Controller?
Controller is defined by GDPR as entity who determine the means and purpose of personal data processing. If your company act as controller on the personal data processing then you need to provide record for these things:
- Details of the company’s contact and name
- The contact and name of officer who responsible of data protection and assist with GDPR compliance – if applicable
- The contact and name of joint controller including other company that joint with your company. You also need to state how and why the processing the personal data – if applicable
- The contact and name of person who act as the company representative including other company that represent your company if you offer service or monitor data for EU citizen – if applicable
- The data processing purposes including why the company need to use the personal data for example for marketing, recruitment, or customer management purpose.
- The individual categories including different categories of people that have their personal data processes by your company such as company’s members, customers, employee, etc.
- The personal data categories that the company process which include the categories of the information that the company process of the people for example, health data, financial data, contact detail, etc.
- To comply with GDPR Article 30 record keeping you need the list of international companies or third countries name where you transfer the personal data including any country or company outside your local country – if applicable
- The safeguard done on personal data exceptional transfer to international company or third countries. – if applicable
- The schedule for retention on different personal data categories including the length of time the data will be kept. The timeline might be set using industry guidelines or internal policies which might be different for each company. – if possible
- The general description of the company’s security and technical measure which used to protect and safeguard the personal data such as training, access control, encryption, etc. – if possible
What Record Is Required to Be Documented by Processor?
Processor is defined by GDPR as entity who do the personal data processing as required by controller. If your company act as processor on the personal data processing then you need to provide record for these things:
- Details of the company’s contact and name
- The contact and name of officer who responsible of data protection and assist with GDPR compliance – if applicable
- The contact detail and name of all controller who the company are acting for including the company that decide how and why processing personal data.
- The contact and name of person who act as the company representative including other company that represent your company if you offer service or monitor data for EU citizen – if applicable
- The contact and name of person who act as the controller company’s representative including other company that represent the controller company if they offer service or monitor data for EU citizen – if applicable
- The processing categories that you do for each controller including the categories that you do on the personal data for example, IT service, payroll processing, marketing.
- To comply with GDPR Article 30 record keeping you need the list of international companies or third countries name where you transfer the personal data including any country or company outside your local country – if applicable
- The safeguard done on personal data exceptional transfer to international company or third countries. – if applicable
- The general description of the company’s security and technical measure which used to protect and safeguard the personal data such as training, access control, encryption, etc. – if possible
Record Keeping Best Practices to Comply With GDPR
To comply with GDPR then you need to organize the record in a way as stated by the regulation. It is not an easy process as it need detailed record as well as continuous work to maintain it. Here are the best practices that you need to do if you want to comply with GDPR
Do Data Inventory
- Determine which categories each of those data subjects that the company collected belong to such as customers, account-holder, employees, etc.
- Determine which categories of the personal data which being stored inside your company’s database such as the customer’s browsing history, employee record, etc.
- Determine which categories of the personal data which being stored inside database owned by third-party such as information of customer’s credit card.
Do Data Mapping
It is important for you to map the data that you take so you will know where all of those different data categories go from when you collect them. To achieve this, you need to do:
- Tracking all steps taken by during the processing of each data from the collection point and onward.
- The personal data record journey must be tracked while on the company’s database and on database owned by third-party.
You should also identify the place where the personal data is stored inside the company’s database and on database owned by third-party. You should record where the server of the database owned by company and database owned by third-party are located geographically.
Do Assessment on Data Processing to Comply with GDPR Article 30 record keeping
- You need to define which personal data categories that is critical to run your business. That way you can cease the data collection and delete other personal data that are unimportant.
- You need to define which personal data categories that your company will keep and which personal data categories that your company will delete. This is important so you can minimize the personal data amount being collected by your company.
- You need to make sure that the processing of personal data is done with consent or/and done within lawfulness standard as stated in GDPR article 6
- You need to set the parameters that will be use to determine the length of time of how long the personal data is stored as well as the format used to store the personal data.
- You need to identify if there will be any gridlock that might happen when processing request for personal data.
Conclusion
As you can see, it is important for your company to comply with GDPR Article 30 record keeping whether you act as controller or as processor. Thus, it is better to start creating the record right away if you want to get GDPR certification. Remember to always maintain the record up-to-date as will be use to make sure that your company still comply with GDPR regulation.
Description: Understand the record keeping requirements under GDPR Article 30 and learn best practices for creating and maintaining records of your data processing activities.
Tags; GDPR Article 30 record keeping, GDPR Article 30 record keeping best practice, GDPR Article 30 record keeping regulation, GDPR Article 30 record keeping management, GDPR Article 30 record keeping requirements