GDPR (or the General Data Protection Regulation) has been around for over two years now. And like most two-year-olds, people have found ways to get some kind of compliance under control.
That’s not to say that there haven’t been bumps along the way. Organizations have balked at the international reach of the regulation. Technology solutions have lagged in comparison to the regulatory environment. Business processes have lagged as well.
Yet GDPR has continued to gain traction, especially as consumers look to protect their personal information wherever possible. Similar laws are being passed and going into action in the United States – the California Consumer Privacy Act is the first, but definitely not the last – and Brazil, Australia, and other places. It’s a big deal, globally.
And a big job. Compliance with GDPR is a significant undertaking for organizations. The first place we suggest starting? With a data inventory. And what does a data inventory require? Taking a good long look at Article 30 of GDPR.
Quick reference: What is GDPR?
GDPR is the most in-depth, comprehensive set of data protection regulations. GDPR, which went into effect in May 2018, limits what organizations can do with an EU resident’s personal data and codifies that resident’s right to determine how their data is used. Organizations don’t have to be located in the EU to feel the pressure of compliance or even conduct business with EU residents – if you simply collect their data, you’ve got to comply. (Or face some pretty hefty fines.)
Moreover, GDPR was a significant piece of legislation because it shifted the landscape on how personal data was defined. We all have a general understanding of personal data as information that identifies an individual. It can be something we all clearly associate with personal information, like a name or birthdate.
However, GDPR pushed the envelope. It’s definition included technology-specific items like digital identifiers like cookies. GDPR made a particular impact in creating special categories of personal data. These categories are more carefully guarded and include information about racial or ethnic origins, political or religious beliefs, genetic or biometric data, and more.
But GDPR isn’t just about defining data – it’s about structuring how and why companies can use it. Under GDPR, organizations that collect personal data have to keep records of processing activities. Herein lies the function of Article 30.
See a full list of special categories of personal data here. To do a deeper dive into GDPR issues, we have a helpful FAQ that reviews common issues and a wealth of detailed blog articles that explore GDPR.
A few words about Article 30
If GDPR focuses on accountability, Article 30 is one of the main tools to help create it. It tells organizations exactly what they need to document to be GDPR compliant. We’ll cover exactly what you should document for Article 30 below, but just as important as the actual data is keeping it up-to-date and organized.
This emphasis on organized data collection is why the process of data inventories is so important. You don’t actually need a data inventory to meet Article 30 requirements, but it would be next to impossible to do it without one. With a data inventory, you can establish data flows, you can figure out what is (or isn’t) accounted for, and pinpoint vulnerabilities resulting from information transfer.
Meeting Article 30 requirements
GDPR compliance isn’t something that can be handled overnight – it contains 99 articles with important definitions, instructions, and guidelines to incorporate into how your organization handles personal data. (And even when you’re done, you’re not really done – it’s an ongoing process. That’s why we serve as fractional CPOs to help companies manage the long-term work.)
But let’s zoom in on Article 30. Article 30 provides an important jumping-off point for any GDPR-related compliance by requiring that all organizations provide records of how all personal data is processed. This means providing an Article 30 report, though you might know this by the name of, yes, data inventories, but also data mapping or records of processing activities.
What do you need to collect to put together a data map/data inventory/record of processing activities/Article 30 report? Let’s take a look at the overall requirements referred to in the article and what they mean.
Get ready, get set, get your records ready
Under Article 30, any organization acting in a processing capacity has to keep a record of all categories of processing activities conducted on behalf of a controller. These records should contain the following information:
- Name and contact details of the controller
- Purpose of processing
- Categories of processing activities that are carried out for each controller
- Categories of data subjects and processed data
- Categories of processing activities that are carried out for each controller
It’s important to remember that an organization can be both a processor AND a controller. How to tell the difference? If you’re determining what data is collected and why, then you’re the controller. If you’re just doing the processing at the behest of another organization, then you’re the processor. As with everything in life and work, situations aren’t always black or white. Additional professional and legal guidance can be a big asset in navigating them.
Names and contact details of the controller
If applicable, you should include the name and contact details of your data protection officer and of any joint controllers that decide with you why and how personal data is processed.
Purpose of processing
One of the kickers of GDPR is that there needs to be a legal basis for collecting data. This can include (but again, isn’t limited to):
- When consent is given by the subject for a given purpose
- When data collection is necessary for a contract with the data subject
- When there is a legal obligation
- To protect the vital interests of the data subject
- For public interest or in the course of official authority
- The legitimate interests of the data controller or a third party as long as those interests don’t infringe on the rights of the data subject
Categories of processing activities that are carried out for each controller
According to Article 30, “processing’ means any operation or set of operations which is performed on personal data or on sets of personal data…”
That’s quite a broad definition, right? This broadness allows the regulation to apply to as many organizations that might have their hands on personal data as possible.
Article 30 does provide a (non-exhaustive) set of examples for guidance, though. Data processing includes (but is in no way limited to), “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
As per this requirement, you don’t just have to pinpoint who is doing the collecting and processing. You also have to identify the “categories of recipients of personal data,” that is, anyone that you’re sharing collected personal data with. This could include vendors, government agencies, credit bureaus, and more.
Categories of data subjects and of the categories of personal data
Article 30 requires that categories of data subjects and processed personal data are included in records of processing activities. In a more straightforward way, this just means what kind of information you’re collecting and about whom.
Personal data
- Name
- Home address
- E-mail address
- Personal phone number
- Work phone number
- Birthday/age Languages
- Passport details
- Social security number or other national identifiers
- Driver’s license details
- Sex
- Marital status
- Wage/salary
- Bank account
- Credit card details
- Education level/diplomas
Data subjects
- Current personnel
- Former personnel
- Contractors/consultants/freelancers
- Students
- Volunteers
- Directors
- Shareholders
- Beneficiaries
- Public officers
- Consumers
- Website end-users
- Customers
- Prospects
- Suppliers
Special categories of data
- Race and ethnic origin
- Religious or philosophical beliefs
- Political opinions
- Trade union memberships
- Biometric data used to identify an individual
- Genetic data
- Health data
- Data related to sexual preferences, sex life, and/or sexual orientation
Where applicable/possible
You may also need to include information on the following:
- Identification of any transfer of personal data to another country or international organization. This needs to meet cross border transfer requirements.
- Time limits for the erasure of different categories of data
- General description of the technical and organizational security measures
How to go about the work of meeting Article 30 requirements?
Data inventories don’t just create themselves! Knowing what you need to put together is half the battle, but you also need to determine effective internal processes to do the work. Some things to consider:
- Are you starting from scratch or using an existing data map?
- How are you going to populate it: automated scanning? Questionnaires? API integration?
- How far back are you collecting data?
- Who is doing the work – your IT team? Legal?
And, importantly, what is your long-term strategy for maintaining your records? Compliance is never a one-and-done deal. It requires care, attention, and strategy over time.
If you’re ever feeling overwhelmed, let us know. We’re happy to advise. Red Clover Advisors has been a partner in guiding clients through the process of meeting GDPR compliance requirements for US. We help you create a comprehensive strategy covering data inventories, privacy policies, and data protection that are custom-built for your company’s needs.
To get started with your own roadmap, reach out to set up a free consultation with our team today.