Among the obligations set out by General Data Protection Regulation (GDPR) there is one on maintaining a records of data processing activities. It is an internal records that contains the information of all personal data processing activities. In its Article 30, GDPR lays out provisions regarding the obligation of maintaining records, their contents, their form, their obligation on making records available to the authorities and the exceptions to the obligation of maintaining a record. It is intended as an accountability measure for companies and as a first step down the road of compliance. As we will explain later, maintaining records should not be taken merely as a burdensome obligation, but should also be used as a helpful tool to ensure compliance.
Is it obligatory?
First question a data controller or processor should ask themselves is whether this obligation applies to them. The short answer is yes, it most likely does. Although this obligation applies only to every enterprise or organisation employing more than 250 persons, there are some notable exceptions to this rule.
The record maintaining obligation shall also apply to every enterprise or organisation employing fewer than 250 persons if:
1) the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects;
2) the processing is not occasional;
3) the processing includes special categories of data;
4) the processing includes personal data relating to criminal convictions and offences.
After a closer examination, we can determine that the point 2 makes this obligation applicable to most (if not all) enterprises and organisations since most of them are under some national obligation that makes some processing of personal data mandatory. The most obvious example for this would be the obligation of processing of personal data of employees for the purposes of paying out their salaries. The nature of this obligation makes this activity periodic and regular, as a contrast to occasional.
Records of processing activities should be a comprehensive list on all the processing activities that data controllers and data processors perform and particularities relative to them. The following information is laid down by the Article 30(1) as mandatory content for every records of processing activity kept by a data controller:
name and contact details of the controller;
purposes of the processing; ;
categories of data subjects;;
categories of recipients;;
transfers of personal data to a third country or an international organisation;;
time limits for erasure;;
technical and organisational security measures. .
Pursuant to the Article 30(2) data processors are obligated to records following information on their records of processing activities:
the name and contact details of the processor;
the categories of processing carried out on behalf of each controller;
transfers of personal data to a third country or an international organisation;
technical and organisational security measures.
This certainly does not preclude controllers and processors to include some other information in their records. However, record of processing activities should not be smothered with too much information, especially the unnecessary one. They should be neat, simple and intelligible. There are two main reasons for this.
First one is regarding the obligation of the controllers and processors, set out by GDPR in Article 30(4), to make the record available to the supervisory authority on request. It is in controller’s/processor’s best interest to make it easier for supervisory authority to do all the intended inspection. Since the record of processing activities is most likely to be starting point of any supervision, that process will be that much faster and less painful if the records are being kept in neat, almost minimalistic form.
The second reason is to help controller/processor be in control over their processing activities and the GDPR compliance. Record of processing activities should be representation of GDPR compliance of a company. Therefore, it should be kept in such a way that makes it easy for controller/processor to oversee all its processing activities.
However, everything said does not mean that adding additional information other than the required is bad. If adding it makes it easier to overview all the processing activities and to maintain high compliance level, then it is highly recommended to do so.
Keeping records of processing activities regularly updated is of very high importance. Failing to keep records simple and neat, and to update them regularly would soon lead to a situation in which a lot of time and energy would have to be invested to put things back in order. This may in turn make it harder to maintain the satisfactory level of compliance, which may eventually lead to high penalties.
Therefore, records of processing activities can help organisations in control of legality of their processing activities, their level of security, and their obligations.
As for the form of the records, GDPR demands it to be written, which includes electronic form. For this purpose, the Microsoft Excel sheets are the most popular tool. Some national supervisory authorities have issued their own version of record of processing activities template. Here are two examples from French (CNIL) and British (ICO) supervisory authorities:
Records must be kept by controllers/processors themselves, so they can have overview over their processing activities. Controllers/processors should designate one person within their structure to personally be in charge for maintaining the records. If the controller/processor has a designated data protection officer, usually data protection officer will be in charge for maintaining records.
It is wise to set obligation for the heads of each department within the company to notify the person designated to maintain the records on each change.
Having records of processing activities should be primary concern when it comes to GDPR compliance. Not only are they required by the law, they are also a very useful tool for monitoring compliance.