What GDPR says about record keeping

GDPR places the burden on the companies (“data controllers” or “data processors”) to thoroughly document all records of data processing activities employed by a company within the scope of the Regulation. Although the terms “data inventory” and “data mapping” do not appear in the Regulation itself, Articles 5-6 and Article 30 define the principles of personal data; lawful data processing activities, and the expectations of data processing records, respectively.

Article 5: The Manner in Which Personal Data is Processed

Article 5 of the Regulation is fundamental to understanding GDPR, because it states the principles by which personal data be processed by organizations within the scope of the Regulation. The key components of the law are summarized below. A comprehensive description of Article 5 is available here.

Personal data shall be:

  1. processed lawfully, fairly and transparently (see Article 6)
    1. collected for specified, explicit and legitimate purposes, and will not further processed in a manner that is incompatible with those purposes.
      1. Except in cases where more processing is needed in the public interest, scientific or historical research purposes or statistical purposes, but this cannot be considered to be incompatible with the initial purposes (as stated in Article 89).
    2. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
    3. accurate and, where necessary, kept up to date. Reasonable steps must be taken to erase or amend personal data that is inaccurate
    4. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
      1. Except in cases where the personal data is processed in the public interest, for scientific or historical research purposes or statistical purposes (Article 89)
    5. processed in a manner that secures personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
  2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1.

Article 6.1: Lawfulness of Data Processing

Article 6 of the Regulation states that, for data processing to be considered lawful, at least one of the following circumstances must apply:

  1. Data subject has given consent for their data to be processed.
  2. Processing is necessary for the performance of a contract your organization has with the data subject, or to take the steps requested by them in the lead up to entering a contract (such as preparing a quote).
  3. Processing is necessary to comply with a legal obligation.
  4. Processing is necessary to protect the data subject’s (or another person’s) vital interests
  5. The processing is necessary to perform a task in the public interest or in exercise of official authority.
  6. The processing is necessary to protect the organization’s (or a third party’s) legitimate interests.

Article 30 Records Of Processing Activities

Keeping records of how personal data is processed and the nature and intention of data processing activities is central to maintaining compliance with GDPR. The supervisory authority monitoring your organization may demand, at any time, to see records of your data processing activities, and your organization is obligated to provide comprehensive records that include the following details, as described in Article 30.

  1. Each data controller must maintain a record of processing activities under its responsibility. That record must contain all of the following information:
    1. the name and contact details of the controller and/or the joint controller, the controller’s representative and the data protection officer;
    2. the purposes of the processing;
    3. a description of the categories of data subjects and of the categories of personal data;
      the categories of recipients to whom the personal data have been or will be disclosed,
    4. including recipients in third countries or international organizations;
    5. where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards (Article 49.1), when applicable.
    6. if possible, the ideal time limits for storing and erasing different categories of data;
    7. if possible, a general description of the technical and organizational security measures (Article 32.1).
  2. Each processor and/or the processor’s representative must maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
    1. the name and contact details of the processor(s) and of each controller on behalf of which the processor is acting, and/or the controller’s or the processor’s representative, and the data protection officer;
    2. the categories of processing carried out on behalf of each controller;
    3. if applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, the documentation of suitable safeguards in cases of relevant transfer (Article 49.1)
    4. where possible, a general description of the technical and organizational security measures referred to in Article 32.1.
  3. The records referred to in paragraphs 1 and 2 must be in writing, including in electronic form.
  4. The controller or the processor and, where applicable, their representative(s), must make the record available to the supervisory authority on request.
  5. The obligations referred to in paragraphs 1 and 2 do not apply to an enterprise or an organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9.1 or personal data relating to criminal convictions and offenses referred to in Article 10.

Recital 82: Record of processing activities

Recital 82 says in order to demonstrate an organization is in compliance with GDPR, the controller or processor should maintain records of processing activities under its responsibility.

Upon request, each controller and processor can be compelled by a supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations for compliance with GDPR.

Put the principles into practice with our GDPR checklist.  

Download the GDPR Checklist

 

Disclaimer

This article is provided for general informational purposes only and is not intended to be legal advice.  By using the article, you agree that the information on this article does not constitute legal or other professional advice. The article is not a substitute for obtaining legal advice from a qualified attorney licensed in your state. The information on the article may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.