GDPR: Where to Start with Documentation and How Automation Can Help

Richard Saville, Solutions Consultant at Opus

If there’s one word – well, acronym – on everyone’s lips this year, it’s GDPR. The deadline for General Data Protection Regulation compliance is now here, and everyone is talking about its impact, who’s affected and how to prepare.

One area in particular many businesses may not have considered: Article 30. Under the article, your business will be required to “maintain a record of processing activities under its responsibility.”

Not only will your company have to document the processing of all personal data entrusted to you, you’ll be required to produce that documentation on-demand, for example, in the event of an investigation.

This kind of requirement should be seen as positive — it will help your business stay accountable to demonstrating that your processing activities are in line with GDPR.

As we all know, the risk of not complying with GDPR is significant. If the requirements are not met, there may be an administrative fine of up to EUR 10 Million, or up to 2% of annual global turnover.

So, Does GDPR Article 30 Apply to Your Business?

To start with, GDPR states that only businesses employing 250 employees or more must keep a record of their processing activities. But, if your business has fewer than 250 employees, you may not be off the hook. The obligation also applies to smaller businesses if:

• processing is likely to result in a risk to the rights of affected employees
• processing is not occasional
• processing includes special categories of data, such as health data, data related to political or philosophical beliefs or personal data relating to criminal convictions and offences

This is new for many small and medium-sized businesses, since the mandate for record-keeping has not previously been this extensive.

What Should the Record Look Like?

The UK regulator, the Information Commissioner’s Office (ICO), recently published additional guidance regarding the explicit provisions contained within GDPR that require you to maintain internal records of your processing activities.

Among other things, records must be kept on processing purposes, data sharing and retention. Documenting this information is linked to the principle of accountability and will help you to demonstrate your compliance with GDPR.

Data Controllers vs Data Processors

Under GDPR it’s likely that you’ll be a data controller and your third parties, such as marketing agencies/IT suppliers/payroll providers, etc., will be data processors.

Both controllers and processors have their own documentation requirements, but controllers need to keep more extensive records than processors. It’s still an onerous process for data processors, especially if you imagine that your third parties may have a number of clients for whom they have to keep such detailed records.

Here’s a quick breakdown of some of the requirements for each type of record under GDPR’s Article 30:

Controllers

• If applicable, the name and contact details of your data protection officer – a person designated to assist with GDPR compliance under Article 37.
• The purposes of the processing – why you use personal data, e.g. customer management, marketing, recruitment.
• If applicable, the name of any third countries or international organisations that you transfer personal data to (any country or organisation outside the EU)

Processors

• The categories of processing you carry out on behalf of each controller (the types of things you do with the personal data, e.g. marketing, payroll processing, IT services)
• If applicable, the name of any third countries or international organisations that you transfer personal data to (any country or organisation outside the EU)
• If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations.

Again, these are just some, not all, of the requirements specific to both data controller and processors within your third-party relationship. For the full list of requirements, review Opus’ GDPR compliance checklist.

How Automation Can Help with Documentation Under GDPR Article 30

Ensuring all your third parties are complying with all new GDPR requirements can be laborious and time consuming. Employing automated compliance solutions, grounded in regulatory guidance from the ICO and the GDPR regulation itself, allows you to:

• Identify the third parties with whom you share personal data
• Scope the appropriate controls for each third party based on the data shared
• Send relevant questionnaires to each third party to assess whether they meet these controls
• Automatically map responses back to specific controls
• Assess and document the effectiveness of a third party’s controls
• Recommend and track remediation where a control is not met

As the race to stay and keep compliant with GDPR continues, businesses will be scrambling to ensure they have the consent to hold onto individuals and clients’ data. Ultimately, however, GDPR boils down to more than having legal consent. The priority for businesses should be to ensure all data processing is legal and the necessary technical and organisational measures to ensure compliance are well established.

Richard Saville, Solutions Consultant at Opus

If there’s one word – well, acronym – on everyone’s lips this year, it’s GDPR. The deadline for General Data Protection Regulation compliance is now here, and everyone is talking about its impact, who’s affected and how to prepare.

One area in particular many businesses may not have considered: Article 30. Under the article, your business will be required to “maintain a record of processing activities under its responsibility.”

Not only will your company have to document the processing of all personal data entrusted to you, you’ll be required to produce that documentation on-demand, for example, in the event of an investigation.

This kind of requirement should be seen as positive — it will help your business stay accountable to demonstrating that your processing activities are in line with GDPR.

As we all know, the risk of not complying with GDPR is significant. If the requirements are not met, there may be an administrative fine of up to EUR 10 Million, or up to 2% of annual global turnover.

So, Does GDPR Article 30 Apply to Your Business?

To start with, GDPR states that only businesses employing 250 employees or more must keep a record of their processing activities. But, if your business has fewer than 250 employees, you may not be off the hook. The obligation also applies to smaller businesses if:

• processing is likely to result in a risk to the rights of affected employees
• processing is not occasional
• processing includes special categories of data, such as health data, data related to political or philosophical beliefs or personal data relating to criminal convictions and offences

This is new for many small and medium-sized businesses, since the mandate for record-keeping has not previously been this extensive.

What Should the Record Look Like?

The UK regulator, the Information Commissioner’s Office (ICO), recently published additional guidance regarding the explicit provisions contained within GDPR that require you to maintain internal records of your processing activities.

Among other things, records must be kept on processing purposes, data sharing and retention. Documenting this information is linked to the principle of accountability and will help you to demonstrate your compliance with GDPR.

Data Controllers vs Data Processors

Under GDPR it’s likely that you’ll be a data controller and your third parties, such as marketing agencies/IT suppliers/payroll providers, etc., will be data processors.

Both controllers and processors have their own documentation requirements, but controllers need to keep more extensive records than processors. It’s still an onerous process for data processors, especially if you imagine that your third parties may have a number of clients for whom they have to keep such detailed records.

Here’s a quick breakdown of some of the requirements for each type of record under GDPR’s Article 30:

Controllers

• If applicable, the name and contact details of your data protection officer – a person designated to assist with GDPR compliance under Article 37.
• The purposes of the processing – why you use personal data, e.g. customer management, marketing, recruitment.
• If applicable, the name of any third countries or international organisations that you transfer personal data to (any country or organisation outside the EU)

Processors

• The categories of processing you carry out on behalf of each controller (the types of things you do with the personal data, e.g. marketing, payroll processing, IT services)
• If applicable, the name of any third countries or international organisations that you transfer personal data to (any country or organisation outside the EU)
• If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations.

Again, these are just some, not all, of the requirements specific to both data controller and processors within your third-party relationship. For the full list of requirements, review Opus’ GDPR compliance checklist.

How Automation Can Help with Documentation Under GDPR Article 30

Ensuring all your third parties are complying with all new GDPR requirements can be laborious and time consuming. Employing automated compliance solutions, grounded in regulatory guidance from the ICO and the GDPR regulation itself, allows you to:

• Identify the third parties with whom you share personal data
• Scope the appropriate controls for each third party based on the data shared
• Send relevant questionnaires to each third party to assess whether they meet these controls
• Automatically map responses back to specific controls
• Assess and document the effectiveness of a third party’s controls
• Recommend and track remediation where a control is not met

As the race to stay and keep compliant with GDPR continues, businesses will be scrambling to ensure they have the consent to hold onto individuals and clients’ data. Ultimately, however, GDPR boils down to more than having legal consent. The priority for businesses should be to ensure all data processing is legal and the necessary technical and organisational measures to ensure compliance are well established.