It’s easy to feel overwhelmed with the obligation to keep records under the GDPR. It is a non-trivial requirement that will force most companies to reconsider their processing operations. This is likely the goal of the GDPR, in that only the necessary processing operations should be carried out-
However, not all is that bad. Records can give you more insight into how you process data, giving you an overview that you could have a hard time getting otherwise. Plus, the regulators will look kindly upon you.
Mandatory for All
Record-keeping is now a requirement both for data controllers and data processors. Even third-party companies will have to store processing records for data they don’t own, but process anyways.
The goal is to have the records ready for when the regulators require them. They must be quickly presented to the regulatory authorities, and they are considered prime evidence of compliance with the GDPR.
SMEs Have It Easier
Small to medium enterprises, i.e. businesses employing less than 250 individuals, are ‘given some slack’ when it comes to record-keeping. The administrative burden is comparatively larger for smaller than large companies, so SMEs now do not have to keep records, as long they satisfy certain conditions.
Their processing must not occur on a regular basis (only occasionally), and processing cannot be the core business operation. If sensitive (protected) data is being processed, record-keeping is mandatory. This includes employee data as well.
Several processing activities can be bundled into a single record, as long as the processing is conducted for one, individual purpose.
A single record can thus apply to several operations, which can help you reduce the number of records you own. However, sometimes this can increase their complexity so you might not gain much. Separate records are thus also allowed.
Processing records have a list of required data that must be included within them. There are no set rules for how they should look (or in what file format they should be made and kept), so companies are allowed to choose whatever they like.
However, the bare minimum of content is non-negotiable. Each record must include a detailed explanation of the purpose of processing and the contact details of the processor. Categories of personal data and sensitive personal data used for processing must be listed, as well as any ongoing transfers of data outside the EU. Specify the period after which the data will be deleted and briefly explain what security measures you took in order to secure the data.
DPOs Can Help
A data protection officer can help things to smoothly, especially in smaller organisations that lack qualified personnel. Small companies can even outsource their DPO to reduce costs but still take advantage of their know-how. This can help them avoid expensive fines and responsibility at a minimal, nominal cost. Plus, a DPO can provide valuable education for the rest of the staff, which should reduce the risk of data loss and breaches.