What Is Article 30 Of The GDPR?

Of all the requirements of the GDPR, few are more discussed (and often debated) than the need to keep records of data being processed. Some say “if you don’t have to, why would you?” Others are more in the camp of “better to have it and not need it than need it and not have it.” Below we will explain what records of processing are, what is required and who should do them.

What Is Article 30 Of The GDPR?

Article 30 is the GDPR requirement that says Data Controllers and Data Processors have a responsibility to maintain records of processing of data about individuals. This is known as Records of Processing Activities (RoPA) or “Article 30 Reporting.” This can be very involved and leverage technology or as simple as a manual accounting of in-scope data processing.

When Should I Do RoPAs?

Compliance with GDPR Principles must be demonstrated. The absence of a violation is not enough. RoPAs provide evidence to regulators of compliant data processing. They also provide a company with the ability to document reasoning behind a particular data activity. More on this in a moment.

Exceptions

Article 30(5) says:

The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Broken down:

  1. If your organization has fewer than 250 people AND UNLESS
  2. Processing is likely to result in a risk to the rights and freedoms of individuals
  3. The processing is not occasional
  4. The processing includes special category data

In short, RoPAs should be done when a company is in-scope, which is defined as companies with 250 or more employees or processing is likely to result in risk to individuals (and not occasional).

Maintain Records of Processing Activities
In most cases, companies should maintain detailed records of data processing. The right solution to meet this need is key.

How Do I Do GDPR Article 30 Reporting?

In general, if your company has to fulfill the Article 30 requirement to maintain records of processing, using privacy enhancing technology (PETs) is a best practice. As companies acquire more and more data and do more and more with it, manually tracking activity really isn’t practical. That being said, if your processing of in-scope data is occasional and you have a small enterprise, many companies utilize checklists and templates available online. The UK’s ICO offers some really helpful tools including a template for records of processing. Below is what is required by the regulation for both Data Controllers and Data Processors.

How To Do RoPA
Leveraging technology for records of processing is usually a wise investment. First for consistent recording and second for management with third parties if involved.

Requirements For Controllers

Article 30(1) says:

Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

  1. the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  2. the purposes of the processing;
  3. a description of the categories of data subjects and of the categories of personal data;
  4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
  5. where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  6. where possible, the envisaged time limits for erasure of the different categories of data;
  7. where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
Requirements for Data Controllers
Data Controllers have different obligations for record keeping under the GDPR than Data Processors. Primarily, they are responsible for what data is used for and by what means.

Requirements For Processors

Article 30(2) says:

Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

  1. the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
  2. the categories of processing carried out on behalf of each controller;
  3. where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  4. where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
Requirements for Data Processors
Data Processors do have fewer RoPA obligations than Controllers but recording processing activity is no less important. Being able to demonstrate execution of instructions is a very common need.

Should I Do RoPAs Even If Not Required?

Keeping records of data processing when not required should be discussed with your legal and privacy team. Here are some reasons why it’s worth considering.

  1. When dealing with data protection authorities, specifically in GDPR protected countries, intent matters (a lot). The ability to demonstrate compliance (or a good faith attempt) and explain clearly what your reasons were for a processing activity could make all the difference between a fine and an enormous fine.
  2. Doing RoPAs on all processing will improve your ability to analyze and report on data activity. This opens up opportunities to see if seemingly unrelated activities are creating a violation and otherwise undetected risk.
  3. Often, decision context is lost with staff changes. While data processes might be documented at a technical level (source, tech, challenges, etc.), limits put on a process, tradeoffs, risk mitigation and similar, may not be documented if not to fulfill GDPR Article 30 requirements.

Conclusion:

While Article 30 of the GDPR can be onerous, this activity can have advantages beyond regulatory compliance. It can help detect risk and make things a lot smoother in the event of a data breach. Additionally, with companies experiencing so much turnover and contract work becoming even more common, Article 30 Reporting could prove to be a very good investment in future understanding of your data estate.

Schedule a Free Consultation

We'll respond within 24 hours to schedule a call with one of our firm's partners. No pressure! We're IT/compliance folks and not pushy — and we like that about us.

Scroll to Top