Article 30 of the GDPR refers to the records of data processing that a data controller and data processor need to keep. They need to keep these records in order to demonstrate GDPR accountability and their efforts at compliance with the 6 principles of data processing as outlined in the GDPR.
The organisation must keep a Record of Processing Activities (ROPA) – that is, records of all personal data that they process. We have created a free downloadable study poster highlighting the Controller and Processor obligations, you can access this at the end of this article.
Who does the GDPR Records of Processing rule apply to?
The obligation for keeping records of processing activities does not apply to organisations with less than 250 employees and where the processing is:
- Unlikely to result in a risk to the rights and freedoms for the data subjects
- Does not include special categories of data or personal data relating to criminal convictions and offences .
As you can see, in reality very few organisations will be exempt from Article 30, Records of Processing.
Previously, companies doing business in Europe would have had to register with the local Supervisory Authority. Even though this requirement has been abolished under the GDPR, it does not mean companies are exempt from having to keep records.
What are the penalties?
The organisation will have to keep the records in writing in paper or electronic form. When requested by the surpervisory authority, these records will need to be provided. Consequently, failure to comply could result in a fine. The related fines are either:
Maximum EUR 10 million
or up to
2% of the global annual turnover of the preceding year.
Whichever of these two figures is higher.
So what information are organisations obliged to keep?
Both Data Controllers and Data Processors are required to keep records of processing. However it is important to note that there are some differences in their obligations.
In the below example of a University campus we outline some examples of the data types and categories referred to in Article 30 records of processing.
The Controller has responsibility to document and keep the following information:
- The name and contact details of the data controller (and joint controller or controllers representative, if applicable) will need to be documented. If applicable the data protection officer’s name and contact details will also need to be retained.
- The reason for processing the personal data needs to be recorded. For example:
- Campus Accommodation Adminstration
- Exam Scheduling
- The obligation to document the different types of personal data that the organisation processes. For example:
- Sudent Name
- Staff Salary Information
- Exam Results
- Contact Details
- The different types of people whose personal data is being processed by the organization. For example:
- Post Grad Students
- Undergrad Students
- Cleaning Staff
- Teaching Staff
A note: The GDPR does not specify how detailed the description of processing activities should be. In addition, it does not specify if companies are obliged to carry out regular checks to ensure their records are up to date and accurate.
It is likely that Supervisory Authorities around Europe will all have different standards. However, to take the UK Information Commissioners Office as an example, it specifies that:
“A generic list of pieces of information with no meaningful links between them will not meet the GDPR’s documentation requirements.”
The ICO recommends linking the above categories in a meanginful way. Take for example, the table below. There is a clear correlation between the purposes of processing, categories of individuals and the categories of personal data.
In addition, the ICO recommends “the information you document must reflect the current situation as regards the processing of personal data. So you should treat the record as a living document that you update as and when necessary”.
- The different types of 3rd parties who the personal data has already been or may be disclosed to. So for example:
- Salary Processing
- Contract cleaning company
- Information on the country or international organisation where the data has been transferred. In addition, if the data needs to be transferred on a once off, exceptional basis to a 3rd country as outlined in Article 49 (1), the safeguards for this need to be documented.
- The length of time the organisation intends holding the personal data for and by extension, when they will delete it by.
- The security measures ensuring the data is handled and accessed securely need to be documented. Article 32 (1). For example:
- Encryption protocols
- Data access controls
- Data back up plan
The Processor is obliged to ensure the following information is fully documented:
- The name and contact details of the processor(s) and of each controller on behalf of which the processor is acting. Also where applicable the name and contact details of the data protection officer.
- The processes that the organisation uses the personal data for need to be recorded. For example:
- Running payroll
- Exam scheduling
- Information on the country or international organisation where the data has been transferred. In addition, if the data needs to transferred on a once off, exceptional basis to a 3rd country as outlined in Article 49 (1), the safeguards for this need to be documented.
- The security measures ensuring that the data is handled and accessed securely need to be documented. Article 32 (1). For example:
- Encryption Protocols
- Secure data storage
- Data back up plan