Author: Marija Bošković Batarelo, Parser compliance, www.parser.hr
What is a Record of processing activities?
Among the obligations set out by the General Data Protection Regulation (GDPR), there is one on maintaining a Records of processing activities.
It is an internal record that contains the information of all personal data processing activities carried out by the company or organization.
In its Article 30, GDPR lays out provisions regarding the obligation of maintaining records, their content, their form, their obligation on making records available to the data protection authority, and the exceptions to the obligation of maintaining a record.
It is intended as an accountability measure for companies and a first step down the road of compliance to data protection laws.
As we will explain later, maintaining Records of processing activities should not be taken merely as a burdensome obligation but should also be used as a helpful tool to ensure compliance.
Is the Record of processing activities obligatory?
The first question a data controller or processor should ask themselves is whether this obligation applies to them. The short answer is YES, it most likely does.
Although this obligation applies only to every enterprise or organisation employing more than 250 persons, there are some notable exceptions to this rule.
The record maintaining obligation shall also apply to every enterprise or organization employing fewer than 250 persons if:
• the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects;
• the processing is not occasional;
• the processing includes special categories of personal data;
• the processing includes personal data relating to criminal convictions and offenses.
After a closer examination, we can determine that the point 2 makes this obligation applicable to most (if not all) enterprises and organisations since most of them are under some national obligation that makes some processing of personal data mandatory.
The most obvious example of this would be the obligation of processing of personal data of employees for the purposes of paying out their salaries.
The nature of this obligation makes this activity periodic and regular, as a contrast to occasional.
Mandatory content of Records of processing activities
Records of processing activities should be a comprehensive list of all the processing activities that data controllers and data processors perform and particularities relative to them.
The following information is laid down by Article 30(1) as mandatory content for every record of processing activity kept by a data controller:
• name and contact details of the controller;
• purposes of the processing;
• categories of data subjects;
• categories of recipients;
• transfers of personal data to a third country or an international organization;
• time limits for erasure;
• technical and organizational security measures.
Pursuant to Article 30(2) data processors are obligated to record the following information on their records of processing activities:
• the name and contact details of the processor or processors and each controller on behalf of which the processor is acting;
• the categories of processing carried out on behalf of each controller;
• transfers of personal data to a third country or an international organisation;
• technical and organizational security measures.
Additional content of Records of processing activities
This certainly does not preclude controllers and processors from including some other information in their records. However, the record of processing activities should not be smothered with too much information, especially the unnecessary one.
They should be neat, simple, and intelligible. There are two main reasons for this:
It is in the controller’s/processor’s best interest to make it easier for supervisory authority to do all the intended inspection.
Since the record of processing activities is most likely to be the starting point of any supervision, that process will be that much faster and less painful if the records are being kept in a neat, almost minimalistic form.
2. The second reason is to help the controller/processor be in control over their processing activities and the GDPR compliance.
Record of processing activities should be a representation of the GDPR compliance of a company and therefore, should be kept in such a way that makes it easy for the controller/processor to oversee all its processing activities and to add, alter, or remove information as circumstances change.
However, everything said does not mean that adding additional information other than the required is bad.
If adding it makes it easier to overview all the processing activities and to maintain a high compliance level, then it is highly recommended to do so.
Keeping records of processing activities regularly updated is of very high importance. Failing to keep records simple and neat, and to update them regularly would soon lead to a situation in which a lot of time and energy would have to be invested in putting things back in order.
This may, in turn, make it harder to maintain a satisfactory level of compliance, which may eventually lead to high penalties.
Therefore, records of processing activities can help keep enterprises and organisations in control of the legality of their processing activities, their level of security, and their obligations regarding personal data protection.
Records of processing activities Forms
As for the form of the records, the GDPR demands it to be written, which includes an electronic form. For this purpose, the Microsoft Excel sheets are the most popular tool.
Some national supervisory authorities have issued their own version of the record of processing activities template. Here are two examples from French (CNIL) and British (ICO) supervisory authorities:
Records must be kept by controllers/processors themselves so that they can have an overview of their processing activities.
Controllers/processors should designate one person within their structure to personally be in charge of maintaining the records.
If the controller/processor has a designated data protection officer, usually data protection officer will be in charge of maintaining records.
New privacy management solutions, such as Data Privacy Manager, are useful tools to monitor compliance and to notify designated persons on each change.
It is wise to set an obligation for the heads of each department within the company to notify the person designated to maintain the records on each change made to their processing activities (new contracts signed, new data processors, new purposes, new data subject categories, etc.) so that the records could be kept as up to date as possible.
Having records of processing activities should be a primary concern when it comes to GDPR compliance. Not only are they required by the law, they are also a very useful tool for monitoring compliance.