One of the main tenets of the GDPR is accountability; the obligation that companies be responsibility for the data they process and be able to demonstrate compliance. Under the GDPR, instead of providing notifications to the DPA, organisations will need to maintain their own internal documentation, and update those documents whenever something changes. This is the requirement laid out by Article 30.
Article 30: The basics
A record of processing activities needs to contain a minimum number of elements, spelled out in the Regulation and include the purpose of the processing, categories of data subjects, whether personal data is being transferred, the categories of recipients for all data that will be disclosed, the third-party countries where data will be shared, as well as your retention periods. Finally, you’ll need to include the technical and organisational measures that you have in place to secure the data.
If your organisation has less than 250 employees, the obligation to maintain a register may not apply to you. That being said, if you are a small company but your processing activities are risky (for example because you process health data), a register is still required.
Data Inventory vs. Processing Activities Register
Many organisations seem to think Article 30 requires them to create a full data inventory, based on the location of the data. However, such an inventory is not what this provision requires. As noted above, the processing activities register needs to be based on the purpose of your processing operations. The distinction between the data inventory and the processing activities register are as follows:
- Snapshot in time of the data assets that an organisation handles
- Can cover both personal data and other data types
- Helps to understand data flows within the organisation
- Resource intensive
- Never truly complete, as data continually evolves
- Does not align with how the business works
Processing activities register:
- Replacement of the current obligation to register with the DPA
- Should be available on demand
- Aligns with business needs
- Documents business processes on how data is being used instead of specific data.
Article 30: An example
Many DPA’s including the French CNIL and the UK ICO have developed sample documents to assist organisations in creating their Article 30 record of processing. In addition, Nymity makes sample and customizable documents available through Nymity Templates™
As you can see, building your processing activities register is not only a legal requirement, but it can also be an important component in your accountability. As an organisation, it is also important to take a look at how to mitigate your risk while maintaining your records.
For some organisations, the processing activities register is the backbone of the privacy program. It provides an excellent idea of what is happening in your organisation, and why. You identify the ongoing operations, and from there can build and/or assess your current technical and organisational measures. You can assess which operations are high risk, perhaps signaling the need for a DPIA. It’s easy to see how the Article 30 can be an excellent place to start, as it naturally begins to identify a number of other necessary activities.
To learn about Nymity’s automated solution to address records of processing activities, visit https://www.nymity.com/products/expertmapping.aspx and see how Nymity ExpertMapping™ is a simple, automated solution that turns data inventory into an outcome of detailed project reviews, perfect for maintaining the type of comprehensive and current internal records required by the GDPR.
Your organisation needs to document how you protect the data that is under your responsibility. At Nymity, we call this an Accountability PIA. It’s a new and innovative approach to creating your processing register and completing an impact assessment at once. The process provides insight on what is taking place within your organisation; it’s the link that ties your accountability mechanisms to each specific project.
This next generation PIA framework enables PIA’s to be more scalable, while making better use of resources. For the business, it enables more processing of personal data, and provides evidence of compliance.
To learn more about how Nymity ExpertPIA™ provides a unique approach which is quick, simple and compliant, includes labour-saving technology, and addresses GDPR compliance, visit https://www.nymity.com/products/expertpia.aspx
For more information on how Nymity’s clients are preparing for the Article 30 requirement: