Once the General Data Protection Regulation (GDPR) comes into operation, on 25 May 2108, all businesses and organisations that are involved with processing the data of people living within the EU will be expected to comply with its stipulations. It is also important to note that, as detailed in Article 30 of GDPR, businesses and organisations need to keep records of their processing activities. As a data controller, not doing so means that they can face fines or other sanctions for non-compliance.
What Should be Documented?
Here is the information that needs to be documented, according to Article 30 of GDPR.
- The name and contact details of the business or organisation.
- The name and contact details of any Data Protection Officer (DPO) that is in place.
- The name and contact details of any business or organisation that is a joint controller of any personal data that is being processed.
- The name and contact details of representatives within the EU, for businesses or organisations that are based outside of the EU.
- The reason that the personal data is being processed, eg marketing.
- The categories of data being processed. For instance, is the individual a customer or an employee?
- The type of data that is being processed, such as health information or financial information.
- Details of anyone who personal data is shared with.
- Details of any non-EU countries which personal data is transferred to.
- Details of safeguards applied for any exceptional transfers of data, as described in Article 49 of GDPR.
- Retention details for different types of personal data.
- Details of the security measures in place for the protection of personal data.
As you can see, the documentation required is comprehensive. So, any business or organisation needs to devote time and effort, to ensure compliance.