What are you doing with my data?!
Under the GDPR, if you process data more than occasionally, you’re going to need to keep some pretty detailed records about what you’re doing with your data.
Article 30 of the GDPR says that every data controller and processor must keep “records of processing activities.”
Now, this doesn’t mean that you need to be recording that on 28th February, you changed Mr Smith’s address from 14 Gerbil Avenue to 21 Hamster Road. So, what do you need to record?
Well, first, a few basics. The GDPR has different requirements depending on whether you’re a Controller or a Processor.
Are you a Controller or a Processor?
Here’s how to tell: if you’re the ones who decide what purpose data is being collected for, or how it’s being collected, that makes you a controller. If you’re just doing the processing on behalf of, and under instruction from, some other organisation, that makes you a data processor.
Don’t forget that it’s more than likely that many organisations will be both controller and processor – controlling some data, and processing other, or both controlling and processing some data.
The following requirements apply to both data controllers and data processors.. You must record:
- Your company’s details, and the contact details of your Data Protection Officer (if you have one), and, if your company is not itself within the EU, your designated representative in the EU.
- A general description of the security measures you’ve implemented, both technical (such as encryption) and organisational (such as restricting who has access to your systems), in order to protect the data
- If you’re ever transferring data outside the EEA, you’ll need to document where you’re transferring data to, and the safeguards in place to protect that data (there’s a whole section in the GDPR regarding international transfers of data – if this affects you, you should be Googling GDPR Articles 44 to 50. Other search engines are available, apparently.)
At that point, things differ depending on what role you have.
So you’re a controller…
If you’re the controller, as it’s you that determines the purpose of the data processing, you’ll need to describe that purpose.
Additionally, you will also need to record the types of people whose data you’re working with, and the types of data you’re working with.
Perhaps if you’re running a doctor’s surgery, your record of processing activity might state that you’re recording information about patients of the surgery, and that the categories of data being processed include:
- essential contact information
- next of kin details
- detailed health information
- genetic information
- information about a patient’s personal circumstances, such as family ties or lack thereof
Alternatively, if you’re recording processing activity at an insurance company you might state that you’re processing records of
- Your clients, including home-owners, drivers, owners of electronic gadgets and equipment, and others requiring insurance
- People who are not clients, but who have direct interaction with your clients, such as third parties in the event of accidents, or legal professionals offering advice to your clients
And you might record that the data being processed includes
- Personal contact details
- Driving history
- Claims history
- Financial information, including late payments of premiums
- Medical history, for those patients who have medical insurance
…and so on.
If you’re a controller, you’ll also need to record the types of recipients to whom you’re going to be disclosing data, including any that are abroad, as discussed earlier.
This might include other insurers, credit reference agencies, other medical establishments or supervisory bodies.
Finally, If you’re a controller, you’ll need to document the length of time you plan to keep each category of data before erasing it.
So you’re a processor…
Firstly, congratulations – you’re not going to have to record those things listed in the section about controllers…. But, the bad news is that there are a number of things that need to go in your documentation instead.
Firstly, if you’re a processor, you need to record the names and contact details of the controller on behalf of which you’re processing data. You’ll need to record details of the controller’s DPO, if they have one, and their representative, if they’re not based in the EU.
Whilst this might sound simple at first glance, the average processor (such as a marketing agency, a database design company, a web advertising company and so on) will no doubt be processing data on behalf of numerous clients. And these details must be recorded for every controller on behalf of which the processor is processing data.
Processors must also document the categories of processing being carried out on behalf of each controller. The GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” – so that’s quite a set of boxes you’ll need to tick. I’d suggest an “all of the above” box might be needed…
Can I keep oral records in the grand tradition of my parents, and my parents’ parents, and my parents’ parents’ parents?
Nope. The GDPR dictates that these need to be written records – INCLUDING in electronic form. That implies in both written and electronic form – although I think you could get away with keeping these records in electronic form, and then printing them as and when required.
When would that be required?
Well, Article 30 says that these records must be made available to the local supervisory authority (the Information Commissioner’s Office in the UK) on demand. So, make sure there’s toner in that printer if they come knocking…
Hang on – I heard I don’t need to do this if we’re a small company
Hmmm… Not so fast. Yes, Article 30 says that these requirements don’t apply to organisations of under 250 employees. But then it says the dreaded word “Unless”.
- Unless the processing you’re doing results in a high risk to the rights and freedoms of data subjects. So, if you’re that doctor’s surgery, or if you’re a charity with data regarding people who’ve suffered abuse, or you hold information about the financial dealings of your data subjects – you’re probably covered by this requirement
- Or, unless the data you’re processing includes “special category” data – that’s broadly data relating to health, beliefs, sexual orientation and suchlike (take a look here for a complete list)
- Or, unless your processing is not “occasional”
And for very many organisations, however small, data is processed far more than “occasionally” these days. So, sorry, but I think you’re likely to have to comply.
But, like much of the GDPR, the best way to approach it is as an opportunity. If you can get ahead of the game, if you can confidently state that you do keep such records, that you do comply with both the letter and the spirit of the GDPR, you’ll almost certainly be in the minority, at least for a good while.
And when your prospective customers come to choose a company they’d trust to do business with, that could really set you apart from the crowd.