Belgian DPA Guidance on GDPR Article 30 Records of Processing Requirements
The Belgian Data Protection Authority (DPA) published guidance on carrying out the EU General Data Protection Regulation (GDPR) Article 30 Records of Processing Requirements.
Under the GDPR, set to go into effect on 25 May 2018, organisations will be expected to maintain extensive and up-to-date internal records of their data processing activities.
According to Article 30 of the GDPR, organisations will be held accountable for compliance with record keeping requirements, with equal responsibility given to both data controllers and data processors.
Here are some of the main points made in the Belgian DPA guidance:
- Sharing records – It may not always be necessary for both the controller and the processor to maintain an individual set of records for every activity. In some cases, they could put in place a single set of shared records that they can quickly make available to the DPA upon request. In the event that an organisation fulfills the role of both the controller and processor for a particular activity at the same time, the records may be split up to correspond to those respective roles.
- Maintaining records – The DPA recommends that all controllers and processors maintain such records as good business practice, even if they fall within the exemption to the requirement, found in Article 30(5). However, the DPA stated that for SMEs who fall within the exemption, it would be adequate if they chose to only maintain records of non-occasional activities. If organisations keep detailed records on hand, it will be much easier for them to cooperate with DPAs and demonstrate compliance with other requirements in the GDPR.
- A starting point – Under current EU law, controllers are required to notify member state DPAs of their processing activities so that the DPAs can keep records of those activities. The Belgian DPA recommends that organisations use the notifications they have filed with DPAs as a starting point in building their Article 30 records.
- Granularity of records – The number of records should correspond to the number of purposes of processing. In other words, if multiple processing activities have the same purpose, then only one record is necessary. For example, if an organisation collects, records, and analyses personal data all for the same purpose, then only one record is needed for that activity, rather than three.
- Describing the purpose – The description of the purpose should be as detailed as possible. Organisations should look to the current requirements for notifications to DPAs under the current law, to understand how much detail is needed. The notification guidelines can be found in Annex 1 of the guidance.
- Special Categories and Minors – In addition to listing the categories of personal data generally, organisations should consider identifying those records which involve special categories of data and data of minors, as a way of more easily identifying and tracking specific requirements surrounding those attributes under the GDPR.
- Individual Recipients – In addition to recording the categories of recipients of personal data, organisations should consider identifying individual recipients, to assist in data mapping and meeting other GDPR requirements.
- Retention Periods – These do not necessarily need to be in months or years. In many cases, it may make sense to have more general criteria, such as “the time necessary to realize the concrete purpose that the controller wishes to obtain.” A statute of limitations could also be referenced to. As for retention of the records themselves, the Belgian DPA recommends that organisations keep the records for at least 5 years after termination of the activity, as DPAs may still request to view records of the activity after the activity has been terminated.
- Involving the Organisation – All relevant departments and the organisation’s data protection officer (DPO), if appointed, should be involved in building the records, and the records should be written in clear and plain language that can be easily understood across the organisation.
How OneTrust Helps
Data mapping and inventory are critical components of any privacy program. OneTrust provides a simple and automated solution for data mapping, designed to address compliance with GDPR Article 30 record keeping requirements and self-certification with Privacy Shield for data transfers. OneTrust Data Mapping helps organizations to visualise the entire data lifecycle, maintain an evergreen data inventory (data processing register), identify gaps, and track recommendations, evidence and approvals for remediating risk.