What is Article 30 GDPR?
Article 30 of the General Data Privacy Regulation of the EU (GDPR) requires organizations that process personal data to maintain a record of their processing activities and have them readily available in the event that a regulatory authority requests to review those records.
Why is this so important? Well, it forces an organization to really focus on what type of personal data it is collecting and why that type of data is being collected. It also forces the organization to think through how that personal data is stored and protected, where the personal data moves inside and outside of the organization.
What Documentation is Required of a Data Processor?
Under the GDPR, a data processor is an individual or an entity that deals with personal data as instructed by a controlled for a specific purpose. Some examples of data processors are – HR departments that process thousands of personal data points of candidates and employees or contact call centers that capture information from the people who call in. Processors work with controllers (often the overarching organization) who call the shots on how and why personal data is used.
Each processor must document all processing activities carried out on behalf of a controller, containing:
- name and contact details of the processor and each controller on behalf of which the processor is acting as well as any information on the representatives or data protection officers;
- categories of processing carried out on behalf of each controller;
- categories of individuals – the different types of people whose personal data is being processed;
- the purposes of the processing – why the personal data is being used;
- categories of personal data being processed – contact details, health information, financial information;
- categories of recipients of the personal data – credit bureaus, government departments, suppliers;
- transfers of data to a third party countries or international organizations including the identity of that third party and the documentation of appropriate safeguards for the data;
- retention schedules for the different types of data collected; and
- a general description of the technical and organizational security measures for data protection.
If any of the personal data is unaccounted for, an organization not only risks a potential data breach but also non-compliance with Article 30.