The GDPR and recording processing activities: Why, who, what and how

You’ve heard talk of it for weeks or even months, and now the application of the General Data Protection Regulation (GDPR) came into effect on 25 May 2018. The new measures to be implemented by this EU regulation include the obligation for a data controller or their data processor to keep a record of processing activities.

Why keep a record of processing activities?

First of all, because keeping a record will replace the current obligation of notifying the supervisory authority in advance (e.g. the DPA in Belgium, the CNIL in France, Autoriteit Persoonsgegevens in the Netherlands, the AEPD in Spain, etc.), which is generating excessive administrative burden.

According to the GDPR, keeping appropriate records will enable a data controller or their data processor to demonstrate during a potential inspection, for example, that their processing activities comply with the principles laid down by the regulation.

From now on, the emphasis will be on the responsibility of the processing entity (even subcontracted data processors) which, by keeping these records correctly, will have an overview of their processing operations, allowing them to monitor and ensure their own compliance with the new legal obligations.

Recording processing activities is therefore a precious tool for ensuring compliance and in a general sense, a good starting point for the compliance process.

Who is involved in the obligation of keeping a record of processing activities?

In principle, the obligation of keeping a record of processing activities applies to all data controllers (and, where applicable, their representatives) and their subcontracted data processors. However, the regulation provides for one exemption, which remains very limited in practice: companies or organisations with fewer than 250 employees are not obliged to keep these records, except in the following cases:

• The processing activity is not occasional, i.e. if it is regular. For example, according to the recent recommendations from the Belgian Data Protection Authority, the term ‘regular’ covers data processing operations linked to customer management, supplier management and even personnel management (human resources)
• The processing activity is likely to result in a risk to the rights and freedoms of data subjects
• The processing activity involves sensitive data (such as medical data, data concerning sexual orientation, religious, philosophical or political convictions, etc.)
• The processing activity relates to legal data (e.g. criminal convictions)

In most cases, keeping data processing records proves to be compulsory. In any event, doing so is strongly recommended since these records will prove useful for the compliance process by ensuring that all legal obligations are met.

What do the processing records need to show?

The information to be shown in these records varies according to whether you’re acting as a ‘data controller’ or as a subcontracted ‘data processor’.

If you are a ‘joint controller’ of the processing, your records need to show a minimum of the following information:

• Your name and contact details, along with those of the Data Privacy Officer (DPO)
• A description of the purposes of the processing, i.e. the reasons why the data is being processed (e.g. customer management, personnel management, etc.)
• A description of the categories of data processed (e.g. identification data, financial data, geolocation data, etc.)
• A description of the categories of persons whose data is processed (e.g. customers, website visitors, prospects, employees, service providers, minors, etc.)
• The recipients to whom the data has been communicated (including recipients based in countries outside the EU)
• Any transfers of the data to a third-party country together with documentation showing the existence of appropriate guaranties for each transfer
• The retention period for each category of data
• A general description of technical and organisational security measures

If you’re a ‘data processor’, your records need to include a minimum of the following information:

• Your name and contact details together with those of the data controller on whose behalf you are acting and, where applicable, the contact details of the Data Privacy Officer (DPO)
• The categories of processing carried out on the data controller’s behalf
• Any transfers of the data to a third-party country together with documentation showing the existence of appropriate guaranties for each transfer
• A general description of technical and organisational security measures

This constitutes the minimum information that must be included, so it is entirely possible to include other elements (such as the legal basis, the result of the impact analysis (if required), etc.).

How should records be kept in practice?

At present, there is no mandatory standard model, so you are free to decide how you keep your records. Having said that, they must be presented in writing, which includes electronic form. They must be clear, comprehensible and legible. However, the Belgian supervisory authority (DPA, Data Protection Authority) has published a record template and some recommendations on its website.

What happens if you don’t keep correct data processing records?

Besides its standard powers as a watchdog (issuing warnings, temporarily or permanently limiting data processing, withdrawing certification, etc.), the supervisory authority can order you to pay a fine of up to €10,000 or up to 2% of your annual global turnover.