How to fulfill Art. 30 from GDPR (Records of processing activities)?

What’s the Aim of GDPR?

GDPR is a regulation everyone is recently talking about. It will impact all the organizations that process personal data of EU residents so it will force most companies to take fundamental organizational and technical measures to ensure compliance.

Don’t panic, though: The idea of the GDPR is not to eliminate the SMEs.

“The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established”

The main aim is to ensure that companies do not abuse the personal data they have, and that they treat sensitive information properly, storing it in a secure way. This long-awaited regulation may actually increase brand trust and therefore the loyalty levels of the customers. The Regulation may also help the organization increase its efficiency by engendering clear procedures and processes. And everything the organization needs to do is to comply with the law.

GDPR Documenting processes

According to Art. 30 from GDPR:

“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.That record shall contain all of the following information:

 

  • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organisational security measures referred to in Article 32(1).”

 

This record should be updated on a regular basis and an employee (usually DPO / GDPR owner) should be assigned and kept responsible for its maintenance.

How to Organise Records of Processing Activities?

LogSentinel has developed a GDPR tool which is available on its platform and provides all the information required from the best practices of the local European regulators:

processing-activities-controller-GDPR

GDPR Compliance Tool (screenshot taken from the LogSentinel online platform)

Keeping a registry of all entities and their responsibilities is also a good way to ensure  better visibility of the processes, the personal data types transferred and the relations between the different entities. This functionality is particularly useful, when the organization has many divisions and/or subordinates.

Processing Record: Fillable form (processing activities)

Fillable form of a processing record (screenshot taken from the LogSentinel online platform)

Such registry can also be as simple as worksheet table containing all fields relevant to the organization. A sample of such registry would contain the following columns:

  • Entity name
  • Entity type
  • Legal identifier (e.g. commercial register ID)
  • Address
  • Is a third-country representative? (Yes/ No)
    • Representative name (applicable to non-EU organizations)
    • Representative email
    • Representative phone
  • Above GDPR threshold (250 employees) (Yes/ No)
    • Data protection officer name
    • DPO email
    • DPO phone

Another way to make this is by using a dedicated software as shown below. The advantage of using such a software is the automation between both types of records, the better visibility, the relation between the different record types and the exporting options.

The major advantage of using a specialized software such as LogSentinel, however, cover the risk of accidentally deleting the file or accidentally deleting the whole location. Another plus is the usage of a centralized system – most of the duties the DPO should look after can be stored in one place in an approachable way.

The DPO can also use the LogSentinel platform to describe the relations between the teams and entities, as well as the relations between the third parties so everything is easily accessed and represented to external auditors, higher management and stakeholders:

joint-controller-table

Joint Controller Table (screenshot taken from the LogSentinel online platform)

One more advantage of using the LogSentinel option is having all GDPR-related activities in one place, along with a reporting dashboard with log aggregation. From a DPO perspective the trackability becomes more efficient, and  much easier to implement in the work routine.

Limitation to editing also acts as a considerable advantage – only limited amount of key employees can access and modify this tool.

Log event tracking, on the other hand, makes security breaches much easier to detect. It allows the users to set up notification events so they will get notified in case of incidents. This helps the organization to fulfill one more requirement of GDPR – the companies are obliged to inform the local authority within 72 hours of the data breach event. With such automated process in place the notification becomes much easier to fulfill.

Advantages And Disadvantages of Using Centralised Logging System

Below is a list of all disadvantages of using a simple worksheet instead of centralised logging system such as LogSentinel:

LogSentinel Platform Simple Worksheet
Easy to implement
Easy to follow-up
Integration between digital evidences and processing records
Integration between GDPR-related processes and logs (e.g. data breach-related processes)
Can be easily organized by the DPO
Can only be accessed by DPO and limited amount of key employees
Inexpensive solution
Time-consuming
Risk of record deletion

Briefly, to fulfill the Art. 30 from the GDPR, companies will need to take proper action, review all their processes and prepare documents controlling all their processes related to personal data processing. To make this process easier, LogSentinel has implemented a GDPR tool within the event logging software, ensuring easy integration in conjunction with GDPR fulfillment, that can make the life of the DPO easier and also unlock substantial business value.

Interested in LogSentinel’s centralised tool? Sign up today.