Without going into too much detail, having seen the recent turmoil regarding the implementation of the General Data Protection Regulation and the fact that the subject has been more than widely debated, we wish to point out that, from our point of view, record keeping of data processing activities is a key aspect in a proper GDPR implementation scheme.
Depending on the size of the operator, the frequency of processing activities, and the character of the data that is processed, keeping records of all processing activity should be deemed necessary for a considerable number of operators. From our point of view, only operators that process personal data in exceptional and inconstant instances will be exempt from the obligation of record keeping.
We believe that any operator who consistently processes data needs to monitor these activities in order to prove alignment with GDPR provisions, according to the categories of processed data.
Operators transferring data to third countries or international organizations should take into account the conditions that lie at the foundation of these transfers in order to identify the situations where evidence of the transfer warranty documentation needs to be provided. This may vary depending on the nature of the data bring processed, the persons whose data is being processed, and the third party countries the data is being sent to A first step in identifying transfers’ warranty measures is analyzing the data protection and security measures contained in the legal provisions of the state to which the transfer will be made, in order to identify the extent to which these are compatible with the GDPR regulations and what supplementary warranties may be necessary.
Records of processing activities can be kept by one or several employees or even by an entire dedicated department, depending on the volume of the organization’s activities. Similarly, depending on the overall volume of those activities, the operators can choose to store the data in either electronic or physical format.
In order to easily access and update its contents, it is advisable to store the data processing evidence in an electronic format.
Although it is not expressly stated in the GDPR, we can conclude that record keeping of data processing activities is meant to replace the obligation to notify the supervising authorities regarding the aforementioned activities, leading us to believe that operators will be even more aware and responsible, especially since they have to clearly identify all processing categories, whereas, under the previous regime, only some categories had to be notified to the regulating authorities. We therefore recommend very detailed record keeping, to give operators the opportunity to minimize potential doubts regarding their compliance with GDPR provisions.
Keeping records of processing activities will allow the operators to identify the essential data processing-related elements within their organizations. These elements can eventually lead to identifying the correct measures necessary to ensure GDPR compliance and implementing mechanisms for the same, thus minimizing the risk of GDPR-related fines.
Thus, GDPR-affected organizations should make, keep, and update information about their data processing activities, preferably in electronic format.
From our point of view, a good starting point for record keeping is organizing the processed data in a way that allows the clear differentiation and specification of categories, targeted persons, data transfers, deletion terms, and security measures implemented in order to protect the aforementioned information.
As the GDPR was implemented on May 25, 2018, this important step should, ideally, already have been implemented and customized to its provisions.
By Gelu Maravela, Founding Partner, Daniel Alexie, Senior Associate, Maravela & Asociatii
This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.