UK GDPR specifies that controllers and processors must keep records of their data processing activity. The content of the records is also specified. For controllers:
“(a) the name and contact details of the controller and, where applicable, the joint controller, and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
(f) where possible, the envisaged time limits for erasure of the different categories of data;
(g) where possible, a general description of the technical and organisational security measures.”
And for processors:
“(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and the data protection officer;
(b) the categories of processing carried out on behalf of each controller;
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
(d) where possible, a general description of the technical and organisational security measures.”
This information is key to data protection compliance. Most of it is required to draft a Privacy Notice, fulfilling the controller’s obligation to provide information about data processing to its data subjects. It is impossible to draft an accurate Privacy Notice without information about the purposes of the processing, the categories of personal data held, categories of recipient, transfers to countries outside the UK and applicable data retention periods.
In addition the categories of recipient identifies where further work is required to distinguish between recipients that are controllers and those that are processors of personal data and informs further compliance checks to ensure that data sharing contracts are in place with controllers and data processing agreements are in place with processors.
Other compliance activity is informed by the Article 30 records for example, it identifies transfers of personal data to third countries identifying where compliance checks are needed reviewing restricted transfers and the mechanisms adopted to make these lawful. Article 30 records should also provide information about personal data collection to inform what policies and procedures are required, for example collection of CCTV images indicates that a CCTV Policy and Procedures are required, telephone call recording indicates that a Policy and Procedures around audio recording are required.
So when selecting a format for Article 30 records bear in mind that they should aim to give outsiders a good overview of the data processing activity of the organisation, not too much detail but sufficient to provide a clear picture and one that picks up the compliance workstreams around data sharing, data processing, international transfers, data retention, policies and procedures and meeting information requirements (Privacy Notices).
If it is desirable to keep more detailed records of processing, then individual teams or departments can expand the Article 30 records to suit their needs but avoid generating confusion by including too much detail in the Article 30 records themselves. Article 30 records based on processes at the very lowest level are no use to compliance practitioners. Similarly records based on IT systems can over complicate the Article 30 records as dataflows around an organisation are often complex and generate too much detail. There is a place for this detail, but not for compliance overview purposes.
In summary there are mandatory records of data processing mandated in GDPR. When creating these make sure that they give a good overview of processing activity so that it would be clear to an outsider exactly what processing is taking place and why. Also bear in mind that more detailed records can be useful at departmental level but this may not be what is required for compliance with Article 30 and will not be helpful to the compliance team.