If you believe some surveys, that request is a walk in the park for most organisations, given reported compliance with GDPR. We don’t believe those surveys, based on our conversations in the market. One we think is nearer to the mark is Capgemini’s report that only 28% of respondents claimed GDPR-compliance one year after GDPR took effect (compared to 78% who confidently said they would be, back in early 2018). We still think that’s high for all sectors apart from the very largest enterprises.
So that request typically sends a chill down the collective spine. We can really help you here and turn you into a GDPR superhero at the click of a button!
Well, Article 30 (of both the EU GDPR and UK GDPR) requires organisations to keep a record of processing activities where they process personal data as a controller, and a slightly different one where they’re a processor. The exact contents are set out in Article 30, which is literally entitled ‘Records of processing activities‘.
For more on the terminology, we’ve a great blog post that goes into more detail on the differences between your Article 30 Records, RoPA, Asset Register, Information Asset Register, and Data Map.
Article 30 of GDPR applies to NHS Trusts as much as any other organisation. Plus the NHS Data Security and Protection Toolkit (DPS Toolkit) reinforces the need to document all uses and flows of personal data. Yet, in December 2020, the UK Information Commissioner’s Office published a summary of its audit of 12 NHS Trusts over 12 months ending May 2019. They made 312 recommendations, over 50% of which (167) were urgent or high priority.
The UK ICO’s first ‘Headline area of concern’ was ‘Documenting personal data processing’. The UK ICO noted that:
‘Most of the Trusts did not have a [record of processing activities under Article 30 GDPR] in place, some had not even started the process.‘
So when someone, anyone, asks for the Article 30 Records, these Trusts are going to find it hard to comply – and the people tasked with GDPR are going to be in a very stressful situation.
We want to stress we’re not criticising at all and that this data point backs up our belief that even basic levels of understanding and compliance with GDPR are still a challenge for almost every organisation no matter what industry you look at, public or private. And this is becoming more and more untenable. It’s why we founded Keepabl – we believe we can really help every organisation on this!
The personal data inventory, from which you create your Article 30 Records, is the very first, fundamental part of Privacy compliance. We call this broader inventory your Data Map in our Privacy SaaS. You can’t do gap analysis and remediation to move towards compliance if you don’t know where your personal data is and what you do with it.
Again, in our view, most people dealing with GDPR for their organisations are not Privacy professionals. They’re usually professionals in IT, Security, Ops or Compliance who’ve been thrown GDPR because their area is most aligned with it and no-one else wants it. They’re not Privacy experts – and why would they be? – so they’re feeling vulnerable about this new role, on top of the many other hats they wear. They may retrench into their comfort zone, which is a mistake.
A common mistake is to rely on an IT or Security asset register as the records of processing activities, or ‘RoPA’, or their information asset register if they’re UK public sector. However, the UK ICO, in that December report on NHS Trusts, noted:
‘Some Trusts were using their information asset register as a form of ROPA, but we did not believe that these provided the required level of detail.’
There’s an excellent and spirited discussion on Data Maps, and what they are, in Privacy Kitchen from December 2020 as it happens, and we recommend our great blog post on all the different terminology.
At Keepabl, we call this broader inventory your Data Map. When you use our SaaS Solution, as you easily enter your processing activities into the solution, you’re creating this Data Map and we’re instantly and automatically creating:
all without you needing to do it! So you can get your Article 30s with one click, or give tailored access to them in your Keepabl account. You can quickly and visually demonstrate your compliance. And our unique Activity Analysis, instantly interrogating your Data Map, gives you actionable insights you need to get the job done on GDPR compliance.
The GDPR only passed on 25 May 2018 and the Dutch DPA is now checking to see if businesses are complying with one of the most fundamental ongoing requirements: maintaining…