How to Demonstrate Compliance With GDPR Article 30

UK GDPR Version

Records of processing activities

1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
• The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer.
• The purposes of the processing.
• A description of the categories of data subjects and of the categories of personal data.
• The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations.
• Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
• Where possible, the envisaged time limits for erasure of the different categories of data.
• Where possible, a general description of the technical and organisational security measures referred to in Article 32(1), or, as appropriate, the security measures referred to in section 28(3) of the 2018 Act.
2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
• The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer.
• The categories of processing carried out on behalf of each controller.
• Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
• Where possible, a general description of the technical and organisational security measures referred to in Article 32(1). Or, as appropriate, the security measures referred to in section 28(3) of the 2018 Act.
3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
4. The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the Commissioner, on request.
5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Technical Commentary

GDPR Article 30 addresses four key areas of a record maintenance:

1. Records of processing activities by the controller.
2. Records of processing activities by the processor.
3. Written record formats.
4. The powers of supervisory authorities.

Article 30 also outlines exceptions that are applied to any of the above areas – most notably that any organisation employing less than 250 people isn’t obliged to maintain processing records, except where the rights and freedoms of data subjects are ‘not occasional’, or the organisation processes ‘special categories’ of data, or criminal data.

ISO 27701 Clause 6.12.1.2 (Addressing Security Within Supplier Agreements) and EU GDPR Article 30 (2)(d)

When addressing security within supplier relationships, organisations should ensure that both parties are aware of their obligations towards privacy information security, and one another.

In doing so, organisations should:

• Offer a clear description that details the privacy information that needs to be accessed, and how that information is going to be accessed.
• Classify the privacy information to be accessed in accordance with an accepted classification scheme (see ISO 27002 Controls 5.10, 5.12 and 5.13).
• Give adequate consideration to the suppliers own classification scheme.
• Categorise rights into four main areas – legal, statutory, regulatory and contractual – with a detailed description of obligations per area.
• Ensure that each party is obligated to enact a series of controls that monitor, assess and manage privacy information security risk levels.
• Outline the need for supplier personnel to adhere to an organisation’s information security standards (see ISO 27002 Control 5.20).
• Facilitate a clear understanding of what constitutes both acceptable and unacceptable use of privacy information, and physical and virtual assets from either party.
• Enact authorisation controls that are required for supplier-side personnel to access or view an organisation’s privacy information.
• Give consideration to what occurs in the event of a breach of contract, or any failure to adhere to individual stipulations.
• Outline an Incident Management procedure, including how major events are communicated.
• Ensure that personnel are given security awareness training.
• (If the supplier is permitted to use subcontractors) add in requirements to ensure that subcontractors are aligned with the same set of privacy information security standards as the supplier.
• Consider how supplier personnel are screened prior to interacting with privacy information.
• Stipulate the need for third-party attestations that address the supplier’s ability to fulfil organisational privacy information security requirements.
• Have the contractual right to audit a supplier’s procedures.
• Require suppliers to deliver reports that detail the effectiveness of their own processes and procedures.
• Focus on taking steps to affect the timely and thorough resolution of any defects or conflicts.
• Ensure that suppliers operate with an adequate BUDR policy, to protect the integrity and availability of PII and privacy-related assets.
• Require a supplier-side change management policy that informs the organisation of any changes that have the potential to impact privacy protection.
• Implement physical security controls that are proportional to the sensitivity of the data being stored and processed.
• (Where data is to be transferred) ask suppliers to ensure that data and assets are protected from loss, damage or corruption.
• Outline a list of actions to be taken by either party in the event of termination.
• Ask the supplier to outline how they intends to destroy privacy information following termination, or of the data is no longer required.
• Take steps to ensure minimal business interruption during a handover period.

Organisations should also maintain a register of agreements, that lists all agreements held with other organisations.

Supporting ISO 27002 Controls

• ISO 27002 5.10
• ISO 27002 5.12
• ISO 27002 5.13
• ISO 27002 5.20

ISO 27701 Clause 6.15.1.1 (Identification of Applicable Legislation and Contractual Requirements) and EU GDPR Article 30 (2)(d)

Organisations should conform to legal, statutory, regulatory and contractual requirements when:

• Drafting and/or amending privacy information security procedures.
• Categorising information.
• Embarking upon risk assessments relating to privacy information security activities.
• Forging supplier relationships, including any contractual obligations throughout the supply chain.

Organisations should follow procedures that allow them to identify, analyse and understand legislative and regulatory obligations – especially those that are concerned with privacy protection and PII – wherever they operate.

Organisations should be continually mindful of their privacy protection obligations whenever entering into new agreements with third-parties, suppliers and contractors.

When deploying encryption methods to bolster privacy protection and safeguard PII, organisations should:

• Observe any laws that govern the import and export of hardware or software that has the potential to fulfil a cryptographic function
• Provide access to encrypted information under the laws of the jurisdiction they are operating within.
• Utilise three key elements of encryption:
1. Digital signatures.
2. Seals.
3. Digital certificates.

Supporting ISO 27002 Controls

• ISO 27002 5.20

ISO 27701 Clause 7.2.8 (Records Related to Processing PII) and EU GDPR Article 30

In this section we talk about GDPR Articles 30 (1)(a), 30 (1)(b), 30 (1)(c), 30 (1)(d), 30 (1)(f), 30 (1)(g), 30 (3), 30 (4) and 30 (5)

Organisations need to maintain a thorough set of records that support its actions and obligations as a PII processor.

Records (otherwise known as ‘inventory lists’) should have a delegated owner, and may include:

• Operational – the specific type of PII processing that’s being undertaken.
• Justifications – why the PII is being processed.
• Categorical – lists of PII recipients, including international organisations.
• Security – an overview of how PII is being protected.
• Privacy – i.e. a privacy impact assessment report.

ISO 27701 Clause 7.5.1 (Identify Basis for PII Transfer Between Jurisdictions) and EU GDPR Article 30 (1)(e)

From time to time, the need may arise to transfer PII between two distinct jurisdictions. When this occurs, organisations should justify and document the need for doing so.

Regional regulatory and legal rules vary depending on where the data has originated from, and where it’s going to be transferred to.

Organisations should take all relevant laws, frameworks and regulations into account whenever they need to transfer data between jurisdictions, including the use of a designated supervisory authority.

ISO 27701 Clause 7.5.2 (Countries and International Organizations to Which PII Can Be Transferred) and EU GDPR Article 30 (1)(e)

Organisations should keep a documented list of the countries and organisations that they could potentially transfer their PII to, under reasonable circumstances.

Once they’ve formulated a list, organisations should made the information available to their customers, including any subcontracted PII operations (see ISO 27701 Clause 7.5.1).

In certain circumstances – especially in the case of criminal investigations – confidentiality laws may prevent the organisation from revealing the identity of destination countries and organisations in advance (see ISO 27701 Clauses 8.5.4 and 8.5.5).

Supporting ISO 27701 Controls

• ISO 27701 7.5.1
• ISO 27701 8.5.4
• ISO 27701 8.5.5

ISO 27701 Clause 7.5.3 (Records of Transfer of PII) and EU GDPR Article 30 (1)(e)

It’s vitally important that organisations keep an accurate record of PII transfers to third party organisations.

Organisations should be able to record PII that has been amended in any way (in line with the controllers obligations and objectives), or transfers that are required before enacting a request from the PII principal to change or erase the PII.

Records should be subject to a proportional retention period, and should be subject to data minimisation rules that return only that which is needed to fulfil a specific objective.

ISO 27701 Clause 7.5.4 (Records of PII Disclosure to Third Parties) and EU GDPR Article 30 (1)(d)

Organisations should log any disclosure of PII to third parties, including the following three pieces of information:

• What’s been disclosed.
• Who has the information been disclosed to.
• When the disclosure was made (date and time).

It’s standard practice to disclose PII for a variety of reasons, throughout an organisation’s information processing operation.

Logs should be made of disclosures that occur during normal business practices, and any special circumstances that arise (i.e. regulatory or legal investigations.

ISO 27701 Clause 8.2.6 (Records Related to Processing PII) and EU GDPR Article 30

In this section we talk about GDPR Articles 30 (2)(a), 30 (2)(b), 30 (3), 30 (4) and 30 (5)

Organisations should keep accurate and up-to-date records that allow them, at any given time, to evidence compliance with any contractual obligations related to the processing of PII.

Depending on the jurisdiction, records may need to include:

• Categorical lists of processing, on a customer-by-customer basis.
• Any data transfers to other countries or international organisations.
• Technical security controls.

ISO 27701 Clause 8.4.2 (Return, Transfer or Disposal of PII) and EU GDPR Article 30 (1)(f)

Organisations need to have concrete plans in place that govern how PII can be returned, transferred or disposed of, and make all such policies available to the customer.

• Returning any PII to the customer.
• Providing the PII to another organisation.
• Destroying information.
• De-identification.
• Archiving.

There are various scenarios that require the disposal of PII, including (but not limited to):

Organisations need to provide categorical assurances that any PII which is no longer needed is going to be destroyed in accordance with any prevailing legislation or regional guidelines.

All disposal policies should be available to the customer on demand, and should cover the period of time that organisations have to destroy PII, once a contract has been terminated.

ISO 27701 Clause 8.5.2 (Countries and International Organizations to Which PII Can Be Transferred) and EU GDPR Article 30 (2)(c)

Organisations should keep an accurate, up-to-date list of any countries or organisations where PII has the potential to be transferred to.

Customers should be able to view a list of potential recipient countries and organisations at any given time, including a log of all countries involved in PII subcontracting (see ISO 27701 Clause 8.5.1).

In certain circumstances, organisations will not always be able to divulge in advance where transfer requests have originated from – particularly involving cases of criminal proceedings. This is unavoidable, and it should be the organisation’s priority to uphold the integrity of a law enforcement operation (see ISO 27701 Clauses 7.5.1, 8.5.4 and 8.5.5).

Supporting ISO 27701 Controls

• ISO 27701 7.5.1
• ISO 27701 8.5.1
• ISO 27701 8.5.4
• ISO 27701 8.5.5

ISO 27701 Clause 8.5.3 (Records of PII Disclosure to Third Parties) and EU GDPR Article 30 (1)(d)

Organisations should meticulously record any instances of them needing to disclose PII to a third party.

Whenever PII is disclosed – either as part of standard business routines or in special circumstances, such as an ongoing legal or regulatory process – organisations should record what’s been disclosed, the recipient, and the underlying reason for doing so.

Supporting ISO 27701 Clauses and ISO 27002 Controls

How ISMS.online Helps

ISMS.online helps you demonstrate a level of protection that exceeds ‘reasonable’ in a secure, always-on location.

We make data mapping a simple task. By adding your organisation’s details to our preconfigured dynamic Records of Processing Activity tool, you can easily record and review it all.

If the worst happens, you’ll be ready.

With our tools, you can plan, communicate, document, and learn from every breach.

Find out more by booking a 30 minute demo.