The GDPR only passed on 25 May 2018 and the Dutch DPA is now checking to see if businesses are complying with one of the most fundamental ongoing requirements: maintaining your Article 30 Records.
Is this just spin?
Not at all. All controllers and processors must maintain certain records under Article 30 of the GDPR. And supervisory authorities – the data protection authorities – can ask to see them at any time.
Very unlikely. First, Article 30 Records must be maintained by every controller and processor with 250 or more employees. Second, even if you’re under 250 employees, you still need to maintain them if, for example, your processing is likely to result in a risk to data subjects, is not occasional, or the processing includes special categories. If you’ve a single employee, you’ve got to maintain these records.
Before GDPR, controllers had to register with their data protection authority and notify the DPA of the categories of personal data they processed, the data subjects, the purposes, and other high-level details on transfers etc. If you printed your notification out, it’d be about a page and a half.
But there was quite a disparity around the EEA in terms of what you had to do, and this is one area that GDPR set out to harmonise. While you still need to register with the UK ICO for example, GDPR does way with that summary notification of your processing activities – you now have to maintain something similar yourself, as your ‘Article 30 Records’.
(They’re called that because the obligation is in Article 30 of the GDPR. And the obligation is now on processors as well as controllers.)
So, do you have yours ready and can you locate them right now? Do they automatically update over time as your activities change?
See how Keepabl’s Privacy-as-a-Service automatically and instantly creates your Article 30 Records as you create your Data Map, and how we update them instantly as soon as you change your details.
It’s one of the ways Keepabl makes GDPR compliance easier.