Big documentation requirements as part of the GDPR (ARTICLE 30)
Records management under the GDPR – Article 30
Each controller and processor is obliged to maintain a Record. If the controller or processor has nominated a representative in the EU, the representative is responsible for maintaining these records.
Which companies need to retain this GDPR documentation?
There are exemptions where the maintenance of records is not required:
- When the company employs fewer than 250 employees unless
- Processing is unlikely to result in a risk to the rights and freedoms of the data subject
- Processing is not occasional
- Processing includes special category data
The problem with the above criteria is that it has a bias against technology companies. There are SaaS platforms that have 150,000 personal data records but have a turnover of €60,000 a year. The GDPR does not discriminate on the turnover of the business or the ability of the controller to finance the extra workload. Companies like the one I have mentioned will have to seriously consider if the cost of doing business in the EU is too high.
How should the GDPR records be kept?
Records must be kept in writing and in electronic form, and these documents should be available to supervisory authorities upon their request.
The content of the records
Controllers are required to keep records of all processing activities along with:
- The lawful basis for processing the personal data (customers)
- Records of where consent is used to process personal data
- The name and contact information of the controller, joint controller, the representative where applicable, and the data protection officer.
- The purposes of the processing.
- A description of the categories of data subjects and categories of personal data.
- Categories of recipients to whom the data are or will be disclosed including those in third countries.
- Information on transfers to third countries or international organizations and documentation of suitable safeguards for the transfer. Retention or erasure time limits for categories of data.
- Data Retention policy.
- Data mapping is recommended to help increase accountability.
- A description of the Article 32(1) technical and organizational security measures deployed.
Keeping these records up to date will be a big challenge
As with most things in the GDPR the keeping of documents is going to be time-consuming and even onerous.
A ‘less is more’ approach might be prudent here. It is important that these documents are thorough and that they are drafted in clear and understandable language, but they will also need to be updated on a regular basis. It is the nature of documentation, that if it is too complex and detailed – it will not be updated and will be inaccurate.
Maintaining accurate and up-to-date Records is a crucial element for an organisation willing to demonstrate compliance.
The documentation needs to be provided to the supervisory authority on request – so controllers need to ensure it is accurate and ready to send.
If you have any questions about GDPR or documentation management – get in touch with us here: