Article 30 provides for an obligation to keep a processing record for all organizations that process personal data on a regular basis in the course of their activities.
What is a processing record?
To explain what it is simply, it is a document listing all processing of personal data that allows companies and data protection authorities to have an overview of the data processing.
What is the purpose of a processing record?
It helps identifying the different actors involved in these processings, the categories of data processed, what they are used for, who can access them, how and to whom they are communicated, the storage time and the security measures implemented.
This step is necessary to identify and prioritize the risks linked to the processing, in order to establish an action plan to comply with the GDPR.
How to set up a data processing record?
First of all, you must list all the personal data processing activities carried out by the organization concerned. Note that each activity must be the subject of a register sheet.
After having referenced these processing operations, it is necessary to ensure that a certain amount of information is available and that it is included in the register.
This includes information about the organization concerned, i.e. its name, contact details and those of its representative if it is not established in the EU, as well as the identity of its Data Protection Officer.
Secondly, each processing activity sheet must include the name and contact details of the joint controller of the processing carried out.
In addition to the information related to the identity of the actors involved in the data processing, several details about the processing itself must be indicated. The purpose or purposes of the data collection, the categories of people concerned by the processing, the list of the different categories of data, the categories of recipients to whom the personal data have been or will be communicated must therefore be indicated on each form. It is also necessary to specify all transfers of personal data to a country outside the EU, as well as the retention periods for each category of data; or in the absence of a precise period, the criteria used to determine them.
To help data controllers and processors, the french data protection authority CNIL published a template of a record that companies have to fill in. It is important to mention that in order to create an effective processing record, a company has to follow an effective data archiving policy. If you're curious about what other obligations companies have to follow, this article lists them all.