GDPR Article 30 requires organisations to keep adequate records (essentially written accounts) of all processing-related activities.
This obligation represents the expression of several data processing principles:
Records of processing activities
- Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
- The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer.
- The purposes of the processing.
- A description of the categories of data subjects and of the categories of personal data.
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations.
- Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
- Where possible, the envisaged time limits for erasure of the different categories of data.
- Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
- Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
- The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer.
- The categories of processing carried out on behalf of each controller.
- Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
- Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
- The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
- The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
- The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
Book a 30 minute chat with us and we’ll show you how
Records of processing activities
- Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
- The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer.
- The purposes of the processing.
- A description of the categories of data subjects and of the categories of personal data.
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations.
- Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
- Where possible, the envisaged time limits for erasure of the different categories of data.
- Where possible, a general description of the technical and organisational security measures referred to in Article 32(1), or, as appropriate, the security measures referred to in section 28(3) of the 2018 Act.
- Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
- The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer.
- The categories of processing carried out on behalf of each controller.
- Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
- Where possible, a general description of the technical and organisational security measures referred to in Article 32(1). Or, as appropriate, the security measures referred to in section 28(3) of the 2018 Act.
- The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
- The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the Commissioner, on request.
- The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
GDPR Article 30 addresses four key areas of a record maintenance:
Article 30 also outlines exceptions that are applied to any of the above areas – most notably that any organisation employing less than 250 people isn’t obliged to maintain processing records, except where the rights and freedoms of data subjects are ‘not occasional’, or the organisation processes ‘special categories’ of data, or criminal data.
Book a tailored hands-on session
based on your needs and goals
Book your demo
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
When addressing security within supplier relationships, organisations should ensure that both parties are aware of their obligations towards privacy information security, and one another.
In doing so, organisations should:
Organisations should also maintain a register of agreements, that lists all agreements held with other organisations.
Organisations should conform to legal, statutory, regulatory and contractual requirements when:
Organisations should follow procedures that allow them to identify, analyse and understand legislative and regulatory obligations – especially those that are concerned with privacy protection and PII – wherever they operate.
Organisations should be continually mindful of their privacy protection obligations whenever entering into new agreements with third-parties, suppliers and contractors.
When deploying encryption methods to bolster privacy protection and safeguard PII, organisations should:
In this section we talk about GDPR Articles 30 (1)(a), 30 (1)(b), 30 (1)(c), 30 (1)(d), 30 (1)(f), 30 (1)(g), 30 (3), 30 (4) and 30 (5)
Organisations need to maintain a thorough set of records that support its actions and obligations as a PII processor.
Records (otherwise known as ‘inventory lists’) should have a delegated owner, and may include:
From time to time, the need may arise to transfer PII between two distinct jurisdictions. When this occurs, organisations should justify and document the need for doing so.
Regional regulatory and legal rules vary depending on where the data has originated from, and where it’s going to be transferred to.
Organisations should take all relevant laws, frameworks and regulations into account whenever they need to transfer data between jurisdictions, including the use of a designated supervisory authority.
Organisations should keep a documented list of the countries and organisations that they could potentially transfer their PII to, under reasonable circumstances.
Once they’ve formulated a list, organisations should made the information available to their customers, including any subcontracted PII operations (see ISO 27701 Clause 7.5.1).
In certain circumstances – especially in the case of criminal investigations – confidentiality laws may prevent the organisation from revealing the identity of destination countries and organisations in advance (see ISO 27701 Clauses 8.5.4 and 8.5.5).
It’s vitally important that organisations keep an accurate record of PII transfers to third party organisations.
Organisations should be able to record PII that has been amended in any way (in line with the controllers obligations and objectives), or transfers that are required before enacting a request from the PII principal to change or erase the PII.
Records should be subject to a proportional retention period, and should be subject to data minimisation rules that return only that which is needed to fulfil a specific objective.
Organisations should log any disclosure of PII to third parties, including the following three pieces of information:
It’s standard practice to disclose PII for a variety of reasons, throughout an organisation’s information processing operation.
Logs should be made of disclosures that occur during normal business practices, and any special circumstances that arise (i.e. regulatory or legal investigations.
Book a tailored hands-on session
based on your needs and goals
Book your demo
In this section we talk about GDPR Articles 30 (2)(a), 30 (2)(b), 30 (3), 30 (4) and 30 (5)
Organisations should keep accurate and up-to-date records that allow them, at any given time, to evidence compliance with any contractual obligations related to the processing of PII.
Depending on the jurisdiction, records may need to include:
Organisations need to have concrete plans in place that govern how PII can be returned, transferred or disposed of, and make all such policies available to the customer.
There are various scenarios that require the disposal of PII, including (but not limited to):
Organisations need to provide categorical assurances that any PII which is no longer needed is going to be destroyed in accordance with any prevailing legislation or regional guidelines.
All disposal policies should be available to the customer on demand, and should cover the period of time that organisations have to destroy PII, once a contract has been terminated.
Organisations should keep an accurate, up-to-date list of any countries or organisations where PII has the potential to be transferred to.
Customers should be able to view a list of potential recipient countries and organisations at any given time, including a log of all countries involved in PII subcontracting (see ISO 27701 Clause 8.5.1).
In certain circumstances, organisations will not always be able to divulge in advance where transfer requests have originated from – particularly involving cases of criminal proceedings. This is unavoidable, and it should be the organisation’s priority to uphold the integrity of a law enforcement operation (see ISO 27701 Clauses 7.5.1, 8.5.4 and 8.5.5).
Organisations should meticulously record any instances of them needing to disclose PII to a third party.
Whenever PII is disclosed – either as part of standard business routines or in special circumstances, such as an ongoing legal or regulatory process – organisations should record what’s been disclosed, the recipient, and the underlying reason for doing so.
GDPR Article | ISO 27701 Clause | ISO 27002 Controls |
---|---|---|
EU GDPR Article 30 (2)(d) | 6.12.1.2 | 5.10 5.12 5.13 5.20 |
EU GDPR Article 30 (2)(d) | 6.15.1.1 | 5.20 |
EU GDPR Articles 30 (1)(a) to 30 (5) | 7.2.8 | None |
EU GDPR Article 30 (1)(e) | 7.5.1 | None |
EU GDPR Article 30 (1)(e) | 7.5.2 7.5.1 8.5.4 8.5.5 | None |
EU GDPR Article 30 (1)(e) | 7.5.3 | None |
EU GDPR Article 30 (1)(d) | 7.5.4 | None |
EU GDPR Articles 30 (2)(a) to 30 (5) | 8.2.6 | None |
EU GDPR Article 30 (1)(f) | 8.4.2 | None |
EU GDPR Article 30 (2)(c) | 8.5.2 7.5.1 8.5.1 8.5.4 8.5.5 | None |
EU GDPR Article 30 (1)(d) | 8.5.3 | None |
ISMS.online helps you demonstrate a level of protection that exceeds ‘reasonable’ in a secure, always-on location.
We make data mapping a simple task. By adding your organisation’s details to our preconfigured dynamic Records of Processing Activity tool, you can easily record and review it all.
If the worst happens, you’ll be ready.
With our tools, you can plan, communicate, document, and learn from every breach.
Find out more by booking a 30 minute demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
Request a quote