What are my GDPR record keeping obligations?
All companies greater than 250 employees (and many with less than 250 employees) are required to maintain thorough records of their data, per Article 30 of the Regulation.
GDPR uses the phrase “record keeping” but chances are you’ve encountered adjacent phrases such as data mapping, data inventory, and data processing inventory. Much of the literature online co-mingles the definitions of these phrases, but in reality they refer to fundamentally different things.
Below, we explore the meaning of each of these phrases:
- Data inventory: A traditional data inventory is not a new concept introduced by GDPR and is a practice already completed by many organizations. In a data inventory companies are expected to account for all of of the data in that is collected and stored on behalf of the organization, identify the personnel responsible for managing the data, identify which personnel has access to which types of data. and be able to show data flows and access on a country by country basis. (1)
- Data map: In a data map, the results of the data inventory are taken a step further. In a data map, the path a data record travels from the point of collection through to the point of storage and/or deletion is made available. The data map also includes information about what personnel accesses a data record as well as access on a country by country basis.
- Data Processing Inventory (DPI): This is a relatively new obligation as introduced by GDPR, but it is not a fundamentally new concept for organizations. A DPI is specifically explained in Article 30 and requires that a company maintain clear documentation of the following:
- The name and contact details of the controller, representatives and the DPO, if applicable
- The name and contact details of any processors or joint controllers
- The purpose of processing
- The legitimate basis for processing
- The category and type of data you are processing
- The members of your organization who will have access to the data and their location
- Any data transfers to third countries
- The time limit that you will hold the data
- The security measures put in place to safeguard the data
- Record keeping: Under GDPR, record keeping refers to the global set of activities contained in documenting records, processes, and accountability for the data stored by an organization.
Learn more about GDPR with our e-book.