What is Article 30? – GDPR “Records of processing activities”
Article 30 of the GDPR says that every data controller and data processor must keep “records of processing activities.” So that begs the question…
Does GDPR Article 30 apply to me?
You are a ‘data controller’ if you decide what purpose data is being collected for, or how it’s being collected.
You are a ‘data processor’ if you do the processing on behalf of, and under instruction from another other organisation.
It is common that organisations will be both data controllers and data processors.
GDPR Article 30 applies to both data controllers and data processors and instructs that you must keep the following records:
- the contact details of the data controller’s representative;
- the contact details of your Data Protection Officer (if you have one);
- the purposes of the processing – why are you processing the data?
- a description of the categories of data subjects whose data you are processing (for example, customers or employees);
- a description of the categories of personal data you are processing (for example, contact details or bank details);
- a description of the special categories of data (see Article 9 of GDPR) you are processing if applicable (for example, racial or ethnic origin, religious or philosophical beliefs);
- a description of the processors with whom you may be sharing data (such as third parties);
- your retention policy – when each category of data is likely to be erased;
- a general description of the organisational security measures you’ve implemented (for example restricting who has access to your systems);
- a general description of the technical security measures you’ve implemented (for example data encryption on your website);
- if you transfer data outside the EEA, you’ll need to document where you’re transferring data to, and the safeguards in place to protect that data.
Article 30 and GDPR can be complicated subjects. Our Technical Director, Brian Penfold, covers some of the ‘scaremongering’ tactics some companies are using to profit, including false information, in his article – Behind The Scaremongering – The Actual Truth About GDPR.
At Trident Assurance Services we are currently advising many organisations across the UK in preparation for the introduction of GDPR on 25 May 2018. Please send us an email on firstname.lastname@example.org or call us on 0118 324 9444. We would be delighted to hear from you and provide qualified advice.
We are running GDPR briefings for businesses to give you the fundamentals and practicalities of data protection and GDPR. Contact us to book a briefing.