Recap of IAPP | OneTrust Webinar – GDPR Expert Panel: Lessons Learned on How to Tackle Article 30

Click here to watch a recording of the IAPP | OneTrust Webinar – GDPR Expert Panel: Lessons Learned on How to Tackle Article 30

This 60-minute webinar featured a panel of privacy experts who have valuable, hands-on experience building mature privacy programs and tackling the numerous specifications of the GDPR – specifically the Article 30 record keeping requirements.

Our privacy expert panel cited real-world examples to provide guidance and help you determine where to focus your efforts for the next year.

Key Takeaways:


Additional responses to questions we were unable to address during the live session

Q: Are there country specific attributes that need to be incorporated in the Article 30 records?

A: There are no country-specific attributes for Article 30 records; however, some organisations choose to include additional attributes to assist in demonstrating compliance with requirements beyond Article 30.

Q: Isn’t there a difference between data mapping and data inventory? To my knowledge data mapping means finding where one’s data enters the organization, where it goes and who’s using it, then where it ends, while data inventory refers to finding out what categories of data one holds and processes.

A: Yes! Technically, a “data inventory” is a table that shows all the data your organisation collects, what it is used for, where it is located, and with whom it has been shared. A “data map” is a visualization of the inventory. For example, this could be a diagram showing how data flows throughout the organisation, between assets, or across borders.

Q: How detailed should “data processing activities” be defined in a data map? Could you give examples of such activities when populating a data map in spreadsheet, for example?

A: Supervisory authorities and the Article 29 Working Party are expected to issue guidance on Article 30. In fact, 17 German DPAs have formed a working group to develop a Model Processing Operations Index, which may be useful in understanding how detailed your records should be.

Q: Would you validate the response from the questionnaire in some way to ensure it has been completed correctly?

A: It is common for organisations to include an approval stage in their workflow, for this purpose. This may help to ensure that your records are accurate, complete and up-to-date.

Q: Would it be advisable to consider using the register for the data processing as a complementary tool for the completion of the requirements under Article 35, or would it be advisable to include the tool developed under Article 35 into the register? Please explain your response, why it’s preferable, and provide a few examples.

A: Organisations may find some commonality in the questions that you asked in their Article 30 questionnaires and Article 35 questionnaires. For this reason, many organisations find ways to feed answers from one questionnaire to the other. For example, Article 30(1) requires that controllers document “the purposes of the processing.” This is also required to be included of your Data Protection Impact Assessment (DPIA), under Article 35. OneTrust is one way in which you can automate this linkage.

Q: The Data Processor obligations regarding the Article 30 are that IT suppliers shall inform and support Controller –– what is needed for that?

A: Processors must maintain a record of all categories of processing activities carried out on behalf of a controller, and Article 30(2) lists the specific attributes that must be included. Additional obligations for processors can be found in Articles 28-31, 33, 37, and 44. For example, Article 28(3)(g) requires that processing agreements stipulate that (among other things) the processor assist the controller in ensuring compliance with Articles 32-36; and Article 33 requires that the processor must notify the controller of any data breach without undue delay.

Controllers & Processors Obligations

Q: Do all processes need to be captured in data mapping, or can a risk-based approach be taken?

A: Article 30 makes no mention of risk in terms of what must be included in these records; however, some organisations have found that it makes sense to address high-risk processing activities first when building their records.

Q: Given the fact that Article 30 is intended to replace the requirement for an organisation to register their databases, would a recommended approach to data mapping be to map the processing of each database that processes personal data?

A: An “asset/application-centric” approach can be useful in providing a starting point and defining scope, and many organisations will start with this and eventually gravitate toward a “business process-centric” approach where they define the processing activity first and then tie that back to an asset/application. Either way, OneTrust has found that a hybrid approach tends to evolve because not every asset/application processes personal data, and some processing activities may be manual and not involve an asset/application.

Q: Should questionnaires be created to capture specific individual processes or general overall processes?

A: This depends on whether the organisation is a controller or processor for a particular activity. Controllers must maintain a record of “processing activities,” while processors must maintain a record of “categories of processing activities.” There is a difference in granularity, and this is expected to be addressed in future guidance from the Article 29 Working Party and member state DPAs.