When privacy policies make it into the news, it’s rarely because people are raving about them. Bad privacy policies are talked about, lambasted for being incomprehensible, unfriendly, and, frankly, unreadable. (Just take a look at The New York Times’ “We Read 150 Privacy Policies. They Were an Incomprehensible Disaster” to see just how excruciatingly unreadable […]
You’ve made sure you’re complying with GDPR. Everything is taken care of for CCPA. That’s great! Now what about CPRA? Wait, you might be saying, you just said that – you mean CCPA. And I’m squared away, thank you very much. Not the case. While the California Consumer Privacy Act has just become enforceable as […]
The California Consumer Privacy Act (CCPA) has been on the horizon for a long time. It was passed on June 28, 2018, but the lead time on finalization and enforcement has been a slow road. However, the wait is over – enforcement has become enforceable as of 2020. (Yes, it’s been in effect since January […]
GDPR (or the General Data Protection Regulation) has been around for over two years now. And like most two-year-olds, people have found ways to get some kind of compliance under control.
That’s not to say that there haven’t been bumps along the way. Organizations have balked at the international reach of the regulation. Technology solutions have lagged in comparison to the regulatory environment. Business processes have lagged as well.
Yet GDPR has continued to gain traction, especially as consumers look to protect their personal information wherever possible. Similar laws are being passed and going into action in the United States – the California Consumer Privacy Act is the first, but definitely not the last – and Brazil, Australia, and other places. It’s a big deal, globally.
And a big job. Compliance with GDPR is a significant undertaking for organizations. The first place we suggest starting? With a data inventory. And what does a data inventory require? Taking a good long look at Article 30 of GDPR.
GDPR is the most in-depth, comprehensive set of data protection regulations. GDPR, which went into effect in May 2018, limits what organizations can do with an EU resident’s personal data and codifies that resident’s right to determine how their data is used. Organizations don’t have to be located in the EU to feel the pressure of compliance or even conduct business with EU residents – if you simply collect their data, you’ve got to comply. (Or face some pretty hefty fines.)
Moreover, GDPR was a significant piece of legislation because it shifted the landscape on how personal data was defined. We all have a general understanding of personal data as information that identifies an individual. It can be something we all clearly associate with personal information, like a name or birthdate.
However, GDPR pushed the envelope. It’s definition included technology-specific items like digital identifiers like cookies. GDPR made a particular impact in creating special categories of personal data. These categories are more carefully guarded and include information about racial or ethnic origins, political or religious beliefs, genetic or biometric data, and more.
But GDPR isn’t just about defining data – it’s about structuring how and why companies can use it. Under GDPR, organizations that collect personal data have to keep records of processing activities. Herein lies the function of Article 30.
See a full list of special categories of personal data here. To do a deeper dive into GDPR issues, we have a helpful FAQ that reviews common issues and a wealth of detailed blog articles that explore GDPR.
If GDPR focuses on accountability, Article 30 is one of the main tools to help create it. It tells organizations exactly what they need to document to be GDPR compliant. We’ll cover exactly what you should document for Article 30 below, but just as important as the actual data is keeping it up-to-date and organized.
This emphasis on organized data collection is why the process of data inventories is so important. You don’t actually need a data inventory to meet Article 30 requirements, but it would be next to impossible to do it without one. With a data inventory, you can establish data flows, you can figure out what is (or isn’t) accounted for, and pinpoint vulnerabilities resulting from information transfer.
GDPR compliance isn’t something that can be handled overnight – it contains 99 articles with important definitions, instructions, and guidelines to incorporate into how your organization handles personal data. (And even when you’re done, you’re not really done – it’s an ongoing process. That’s why we serve as fractional CPOs to help companies manage the long-term work.)
But let’s zoom in on Article 30. Article 30 provides an important jumping-off point for any GDPR-related compliance by requiring that all organizations provide records of how all personal data is processed. This means providing an Article 30 report, though you might know this by the name of, yes, data inventories, but also data mapping or records of processing activities.
What do you need to collect to put together a data map/data inventory/record of processing activities/Article 30 report? Let’s take a look at the overall requirements referred to in the article and what they mean.
Under Article 30, any organization acting in a processing capacity has to keep a record of all categories of processing activities conducted on behalf of a controller. These records should contain the following information:
It’s important to remember that an organization can be both a processor AND a controller. How to tell the difference? If you’re determining what data is collected and why, then you’re the controller. If you’re just doing the processing at the behest of another organization, then you’re the processor. As with everything in life and work, situations aren’t always black or white. Additional professional and legal guidance can be a big asset in navigating them.
If applicable, you should include the name and contact details of your data protection officer and of any joint controllers that decide with you why and how personal data is processed.
One of the kickers of GDPR is that there needs to be a legal basis for collecting data. This can include (but again, isn’t limited to):
According to Article 30, “processing’ means any operation or set of operations which is performed on personal data or on sets of personal data…”
That’s quite a broad definition, right? This broadness allows the regulation to apply to as many organizations that might have their hands on personal data as possible.
Article 30 does provide a (non-exhaustive) set of examples for guidance, though. Data processing includes (but is in no way limited to), “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
As per this requirement, you don’t just have to pinpoint who is doing the collecting and processing. You also have to identify the “categories of recipients of personal data,” that is, anyone that you’re sharing collected personal data with. This could include vendors, government agencies, credit bureaus, and more.
Article 30 requires that categories of data subjects and processed personal data are included in records of processing activities. In a more straightforward way, this just means what kind of information you’re collecting and about whom.
You may also need to include information on the following:
Identification of any transfer of personal data to another country or international organization. This needs to meet cross border transfer requirements.
Time limits for the erasure of different categories of data
General description of the technical and organizational security measures
Data inventories don’t just create themselves! Knowing what you need to put together is half the battle, but you also need to determine effective internal processes to do the work. Some things to consider:
Are you starting from scratch or using an existing data map?
How are you going to populate it: automated scanning? Questionnaires? API integration?
How far back are you collecting data?
Who is doing the work - your IT team? Legal?
And, importantly, what is your long-term strategy for maintaining your records? Compliance is never a one-and-done deal. It requires care, attention, and strategy over time.
If you’re ever feeling overwhelmed, let us know. We’re happy to advise. Red Clover Advisors has been a partner in guiding clients through the process of meeting GDPR compliance requirements for US. We help you create a comprehensive strategy covering data inventories, privacy policies, and data protection that are custom-built for your company’s needs.
To get started with your own roadmap, reach out to set up a free consultation with our team today.
For many organizations in the US and abroad, the General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) lay the groundwork for how data security and consumer privacy are approached. These regulations have made big impacts in the data landscape. An important element of these legislative landmarks? The need for businesses to […]
Red Clover Advisors is a certified Women’s Business Enterprise.