What is GDPR Article 30?
The GDPR has several reporting requirements, including Article 30, which pertains to records of processing activities. The requirements for Article 30 are likely to apply to most companies because of its broad applicability.
Companies preparing to comply with GDPR Article 30 should look at how data moves through each of its business processes, not just where the data resides. In other words, “follow the data”.
Article 30 requires companies to produce “records of processing activities”, which will allow regulators to see that you are adhering to GDPR. With this goal in mind, the records should show why and how the data is being processed.
Strictly focusing on the data elements themselves may cause a company to overlook including these important elements. In contrast, focusing on how the data is collected and why it is collected will help you adhere to GDPR requirements.
How does Article 30 affect your business?
What documentation is required?
Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
Where can I find templates for documentation required by Article 30?
TrustArc has developed special on-demand reporting tailored to meet GDPR Article 30 requirements.
Checklist: How to comply with Article 30
- Gather stakeholders together and explain the benefits of having an up-to-date data inventory in order to get buy-in.
- After approaching stakeholders, start to gather the approximate number of business processes that need to be mapped.
- Asset inventories and vendor lists can be leveraged to help get an idea of the size and scope of the business mapping project.
- Start with a pilot project using one business unit to test and validate the methodology used to gather the information needed.
- Then use early deliverables from the pilot to secure better engagement for the broader project.
- Map your business processes.
GDPR Article 30: Records of Processing Activities (ROPA)
- Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
- Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
- The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
- The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
- The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organization employing fewer than 250 persons unless:
- the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects,
- the processing is not occasional,
- or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offenses referred to in Article 10.