Does the GDPR Require a Personal Data Inventory?
GDPR Article 30: Personal Data Inventory and Record of Processing Activities Explained
One of the most common areas where confusion seems to arise for our clients is surrounding the difference between a Personal Data Inventory and a Record of Processing Activities.
Traditional Data Inventory is extremely labour intensive, involving gathering a snapshot of all of the data currently held by an organisation. This might include recording the following:
- Type of data
- Volume of information
- How to access
- International transfers
Trying to ensure that all of the existing information is catalogued, including email data and off-site data, while maintaining the inventory record as new data is added, consumes considerable time and resources. The process is so difficult in fact, we believe the task is essentially impossible to complete successfully, let alone to maintain it over time.
Does the GDPR Require a Personal Data Inventory?
Thankfully, the GDPR does not require such an inventory. Instead, the emphasis has shifted from what data is being managed, to recording and demonstrated how and why that data is being managed. This is called the Record of Processing Activities, and the GDPR specifies what specific information needs to be recorded by the Controller and Processor. Though the process is still rather involved, it is much easier to achieve compliance in this regard than with prior data management techniques.
What’s the difference between ‘Data Holdings’ and ‘Records of Processing’?
To further understand the GDPR’s shift to Records of Processing, it is helpful to compare it side-by-side to the previous requirement of data holdings:
|Data Holdings||Records of Processing|
|Focus = ‘What’ |
What data are in ‘system X’ vs. ‘system Y’
What data can staff access?
What data are subject to which transfer mechanism
|Focus = ‘How’ and ‘Why’ |
Why are the data being processed?
How are business units processing the data?
Alignment with business products/services, and with data flow mapping
What exactly must be included in the Record of Processing?
Article 30, Sections 1 and 2 of the GDPR outline the requirements of the Record of Processing Activities for both the Controller and the Processor. Let’s take a look:
The Controller must keep a record of activities carried out under its responsibility. This record must contain:
- Name and contact details of the controller, representative, and DPO
- Purposes of processing
- Categories of data subjects and personal data
- Categories of recipients to whom data are or will be disclosed (includes 3rd countries)
- Retention periods (if possible)
- Technical and organisational security measures (if possible)
The Processor must keep a record of activities carried out on behalf of the controller. This should include:
- Name and contact details of the processor, controller, and where applicable, the controller or processor’s representative, and the DPO
- Categories of processing carried out on behalf of the controller
- Overview of third country data transfers (if applicable)
- Technical and organisational security measures (if applicable)
Record of Processing Activities Register
Additionally, a Record of Processing Activities Register must be created. This is primarily an internal document that will help staff to better understand how and why data needs to be processed, as well as how to shape policies and procedures to protect the data. It’s an important part of the accountability responsibility of an organisation, and in the event of an investigation by the DPA, it proves that you’re in control of your data processing operations.
This record replaces your obligation to register your data with the DPA. It should be available on demand, to be shown immediately in the event of an unexpected visit. Most organisations smaller than 250 employees are exempt from this obligation, unless they process sensitive data on a large scale or undertake other forms of high risk processing.
What will the DPA want to see?
The DPA will require a record which the data controller can prove meets the broad requirement of Article 30. The DPA will take record keeping into account when investigating contraventions and imposing sanctions, and in particular will pay close attention to the risk to data subjects as a key consideration. If the controller can prove their compliance through a thorough knowledge of their processing activities, and a record that demonstrates that they are actively monitoring, they are very likely to satisfy the DPA’s questions.
How can Nymity help?
Nymity has years of experience supporting the privacy office in operationalizing compliance and meeting the requirements of data privacy legislation.
Our ExpertPIA™ software solution takes a privacy by design approach, mitigating risk prior to conducting assessments. Data inventory becomes an outcome of project reviews focused on better (and more) processing of personal data to meet the needs of the business. The outcome? Not only do organisations satisfy DPIA requirements, the SmartPIA also produces Record of Processing Report making GDPR compliance easily demonstrated.
Interested in more detail about Article 30 and data inventories? Watch our webinar on-demand, featuring Anne Fontanille, Privacy Counsel – Data Protection Officers Department, CNIL and Oran Kiazim, Vice President, Global Privacy, Sterling Talent Solutions.