GDPR Top Ten: #4 Maintaining records of processing activities
What is the impact of this (new) obligation under the GDPR?
In this blog we focus on the technical and operational aspects of how organizations can create an overview of existing data processing activities. For some countries this is not an entirely new requirement, as organizations in for example the Netherlands and Belgium are already familiar with the obligation of notifying processing activities to the local Data Protection Authority.
10 March 2017
This new responsibility for organizations, laid down in article 30 of the GDPR, requires a full overview of the processing activities that take place within an organization, but also requires these activities to be documented accordingly. This will require a proactive approach from, and collaboration within, organizations.
What does this new obligation entail for controllers?
Each controller will have the responsibility to maintain records of all the processing activities which take place within the organization. These records (which need to be in writing, as well as in electronic form) must contain all of the following information:
(a) the name and contact details of the controller and where applicable, the data protection office;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
(e) the transfers of personal data to a third country or an international organization, including the documentation of suitable safeguards;
(f) the envisaged time limits for erasure of the different categories of data; and
(g) a general description of the applied technical and organizational security measures.
Please note that the obligation does not apply to organizations employing fewer than 250 persons, unless the processing is of a high-risk nature, including processing of special categories of personal data such as ethnic or health information, or data about criminal behavior.
Furthermore, the controller or the processor (please refer to the next paragraph) need to make the records available to the supervisory authority upon request.
And what about processors?
In general, the GDPR does not only require more responsibility from the controller, but it also requires more responsibility from the involved data processors. Therefore, this obligation is also applicable to processors. Each processor will have the responsibility to maintain records of all categories of processing activities carried out on behalf of a controller, containing:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- transfers of personal data to a third country or an international organization, including the documentation of suitable safeguards;
- a general description of the applied technical and organizational security measures.
Operational and technical measures
Organizing records of all the data processing activities that take place within in your organization, could pose a challenge. Especially when these kinds of processing activities take place decentralized within different departments or business units. How can this stream of information best be coordinated, where should records be stored and more importantly, how should these records be maintained and kept up-to-date? Below a few practical tips and tricks are outlined.
1. Involve the business
As data processing activities take place across your organization, it is key to localize the stakeholders which play a role at the beginning of the development or design of a product, process, system, application or project. These people have the main insight into the data processing activities and will be of extreme value to create and maintain the overview. Involve the business when your organization starts to think about the underlying process that is needed to generate these records. Make them aware of the benefits and the added value for your organization.
2. Design (and align) a process, with clear roles and responsibilities
When you have your stakeholders involved, the next step is to determine the process in which the records must be obtained, checked, added to a central register and kept up-to-date. Be aware that lot of the required information will most probably already be obtained by performing Privacy Impact Assessments (PIA’s). If there is an existing supporting process, explore to what extent this new process can be aligned. This will coordinate the required effort, and will prevent the business from providing the required information twice.
Also, make sure that clear roles and responsibilities are defined when the process is being developed. Think about responsibilities with regard to the collection of the required information, including the information into a centralized register and updating the information in the register when needed.
Do not forget to involve other competences as well, such as IT, compliance, procurement and legal, as they could also greatly benefit from the information. Think of the contracts in light of the procurement process in case processors are (going to be) involved. The information will be of great value in settling data processing agreements.
3. Create a central register for the records.
The records that must be kept, should be stored in a centralized manner. Depending on the infrastructure of the specific organization, explore how to support the fundamental process. Preferably, organizations should not “seek refuge” in Excel sheets, as easy as it might be – but rather use a proper tool. In this way one centralized system will provide a full overview of the processing activities that take place within the organization. Of course in this scenario people have to be aware of the proper technical measures, such as access and authorization rights (not everyone should be authorized to change or alter information). The market for privacy tools is expanding rapidly, and it is good to think about the technical requirements and possibilities within your own organization.
Is this obligation a burden or could it become a valuable asset for organizations?
This requirement under the GDPR will require some extensive effort. The organizing part will require a lot of the business, but also of the privacy professionals involved. To convince the business of the added value of these records – besides the fact that it is an obligation of which non-compliance could lead to fines up to EUR 10.000.000 or 2% of the total worldwide annual turnover – will take time. Keeping in mind the development of the process, but also exploring and implementing the technical measures, it will be a time consuming process. Moreover, don’t forget to keep track of existing processing activities: not only new data processing activities must be recorded, but also the activities that are taking place at the moment (and maybe have been for years).
However, there is also something to gain. The records will provide an overview of all data processing activities within your organization, and therefore enable organizations to get a grip on what kind of data categories are being processed, by whom (which departments or business units) and for which underlying purposes. This knowledge will allow organizations to make connections internally, join efforts or projects with the same or equivalent goals and / or challenges and it can result in increasing control over data processing activities. This will provide insight into risks and required mitigation actions, and will inevitably result in empowering organizations to do more – and in a well-ordered manner – with the available personal data.
What do organisations need to do to show accountability for their data processing activities?
Explaining the territorial scope of the GDPR and the situations in which its obligations apply outside the European Union