'I need the Article 30 Records please'

If your plan is to 'magic up' these key GDPR records, don't panic, we've got your back

‘I need the Article 30 Records please’

If you believe some surveys, that request is a walk in the park for most organisations, given reported compliance with GDPR.  We don’t believe those surveys, based on our conversations in the market.  One we think is nearer to the mark is Capgemini’s report that only 28% of respondents claimed GDPR-compliance one year after GDPR took effect (compared to 78% who confidently said they would be, back in early 2018).  We still think that’s high for all sectors apart from the very largest enterprises.

So that request typically sends a chill down the collective spine.  We can really help you here and turn you into a GDPR superhero at the click of a button!

What are Article 30 Records?

Well, Article 30 (of both the EU GDPR and UK GDPR) requires organisations to keep a record of processing activities where they process personal data as a controller, and a slightly different one where they’re a processor.  The exact contents are set out in Article 30, which is literally entitled ‘Records of processing activities‘.

For more on the terminology, we’ve a great blog post that goes into more detail on the differences between your Article 30 Records, RoPA, Asset Register, Information Asset Register, and Data Map.

Doctor, Doctor, I can’t see the purpose

Article 30 of GDPR applies to NHS Trusts as much as any other organisation.  Plus the NHS Data Security and Protection Toolkit (DPS Toolkit) reinforces the need to document all uses and flows of personal data.  Yet, in December 2020, the UK Information Commissioner’s Office published a summary of its audit of 12 NHS Trusts over 12 months ending May 2019.  They made 312 recommendations, over 50% of which (167) were urgent or high priority.

The UK ICO’s first ‘Headline area of concern’ was ‘Documenting personal data processing’.  The UK ICO noted that:

Most of the Trusts did not have a [record of processing activities under Article 30 GDPR] in place, some had not even started the process.

So when someone, anyone, asks for the Article 30 Records, these Trusts are going to find it hard to comply – and the people tasked with GDPR are going to be in a very stressful situation.

How are YOU feeling?

We want to stress we’re not criticising at all and that this data point backs up our belief that even basic levels of understanding and compliance with GDPR are still a challenge for almost every organisation no matter what industry you look at, public or private.  And this is becoming more and more untenable.  It’s why we founded Keepabl – we believe we can really help every organisation on this!

Why this matters HUGELY

The personal data inventory, from which you create your Article 30 Records, is the very first, fundamental part of Privacy compliance.  We call this broader inventory your Data Map in our Privacy SaaS.  You can’t do gap analysis and remediation to move towards compliance if you don’t know where your personal data is and what you do with it.

Bottom line: if you don’t have your personal data inventory in good shape, you won’t be able to comply with GDPR.

The human factor

Again, in our view, most people dealing with GDPR for their organisations are not Privacy professionals.  They’re usually professionals in IT, Security, Ops or Compliance who’ve been thrown GDPR because their area is most aligned with it and no-one else wants it.  They’re not Privacy experts – and why would they be? – so they’re feeling vulnerable about this new role, on top of the many other hats they wear.  They may retrench into their comfort zone, which is a mistake.

A common mistake is to rely on an IT or Security asset register as the records of processing activities, or ‘RoPA’, or their information asset register if they’re UK public sector.  However, the UK ICO, in that December report on NHS Trusts, noted:

‘Some Trusts were using their information asset register as a form of ROPA, but we did not believe that these provided the required level of detail.’

There’s an excellent and spirited discussion on Data Maps, and what they are, in Privacy Kitchen from December 2020 as it happens, and we recommend our great blog post on all the different terminology.

How we can help

At Keepabl, we call this broader inventory your Data Map.  When you use our SaaS Solution, as you easily enter your processing activities into the solution, you’re creating this Data Map and we’re instantly and automatically creating:

  • your Article 30 Records, both as Controller and as Processor,
  • your Risk Map, and
  • your other key reports, including Processors and Transfers,

all without you needing to do it!  So you can get your Article 30s with one click, or give tailored access to them in your Keepabl account.  You can quickly and visually demonstrate your compliance.  And our unique Activity Analysis, instantly interrogating your Data Map, gives you actionable insights you need to get the job done on GDPR compliance.

You can see more in our Service Description and Customer Case Studies.  Why not book your demo to see how easy we make compliance!

Related Articles

Data Subject Rights
DSRs or Individuals' Rights: A Backgrounder

Data Subject Rights or DSRs have been around for decades, but GDPR massively reinforced and extended them when it took effect in 2018 – five years ago now. Laws around the…

Read More
Spot the Processor
Know your Sub-Processors from your Joint Controllers with powerful Entities Registers

Spot check! Within 30 seconds, can you show us a list of all the entities involved in your organisation’s personal data processing, plus have them separated out by role, and…

Read More