What does Article 30 require?
Article 30 of the EU General Data Protection Regulation (GDPR) sets out what exactly organisations need to document in order to comply with the Regulation. As the GDPR has a heavy emphasis on accountability, organisations are now required to document such things as the purposes of processing, categories of data they process and the lawful basis for doing so.
What do you need to do to comply with Article 30?
You need to put together a record of all the required information (listed further down in this blog) and make sure it is kept up to date. If a new process is made or your data protection officer (DPO) changes, make sure part of the process is to update your Article 30 records.
One key part of this record-keeping activity is to document the category of individuals (employees, customers, etc.) whose data you process, the categories of personal data (name, financial information), the recipients and transfer mechanisms used. The best way to do this is to conduct a data flow audit, where you will look at all the personal data within your organisation and map where it comes from, what it is, where it is stored and where it goes next. It helps you identify all the information you hold and how it transfers from one location to another, such as from suppliers and sub-suppliers through to customers.
You might be surprised at how often your information is copied or transferred, which is why the GDPR makes it such a top priority. If any personal data is unaccounted for, you are not only at risk of a data breach but are also non-compliant with Article 30 of the GDPR.
But data flow maps are about more than being organised and efficient. They also help organisations identify vulnerabilities in the way information is transferred and establish the necessary steps to become secure.
Where to begin with a data flow map?
You should begin your data mapping exercising by identifying the following key elements:
- Data items(e.g. names, email addresses, records).
- Formats(e.g. hard copy forms, online data entry, database).
- Transfer methods(e.g. post, telephone, internal/external).
- Locations(e.g. offices, Cloud, third parties).
Each of these comes with its own risks, which you’ll need to take note of. For example, the Cloud could be rendered temporarily unavailable, hindering your access to important documents.
Once you’ve listed every risk, you should look for ways to mitigate them. You’ll probably find that you can eradicate many risks by simply cutting back on the amount of data you collect and transfer. This will also help you meet another of the GDPR’s requirements: organisations should collect only as much data as necessary and store it for only as long as necessary.
The full list of Article 30 requirements:
The Information Commissioner’s Office (ICO) is the supervisory authority for the UK and has compiled an easy-to-understand list of what is required under Article 30 of the GDPR:
- “Your organisation’s name and contact details.
- If applicable, the name and contact details of your data protection officer – a person designated to assist with GDPR compliance under Article 37.
- If applicable, the name and contact details of any joint controllers – any other organisations that decide jointly with you why and how personal data is processed.
- If applicable, the name and contact details of your representative – another organisation that represents you if you are based outside the EU, but you monitor or offer services to people in the EU.
- The purposes of the processing – why you use personal data, e.g. customer management, marketing, recruitment.
- The categories of individuals – the different types of people whose personal data is processed, e.g. employees, customers, members.
- The categories of personal data you process – the different types of information you process about people, e.g. contact details, financial information, health data.
- The categories of recipients of personal data – anyone you share personal data with, e.g. suppliers, credit reference agencies, government departments.
- If applicable, the name of any third countries or international organisations that you transfer personal data to – any country or organisation outside the EU.
- If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations. An exceptional transfer is a non-repetitive transfer of a small number of people’s personal data, which is based on a compelling business need, as referred to in the second paragraph of Article 49(1) of the GDPR.
- If possible, the retention schedules for the different categories of personal data – how long you will keep the data for. This may be set by internal policies or based on industry guidelines, for instance.
- If possible, a general description of your technical and organisational security measures – your safeguards for protecting personal data, e.g. encryption, access controls, training.”
Want help conducting a data flow audit?
You can get more comprehensive advice by reading our free green paper: Conducting a Data Flow Mapping Exercise Under the GDPR. It outlines data flow mapping techniques, which will help you put your knowledge into practice.
You might also be interested in Vigilant Software’s Data Flow Mapping Tool. This tool simplifies the mapping process and makes it easy for you to review, revise and update maps when needed.
Learn more about the GDPR from our experts
If you have a question about Article 30 or any other GDPR topic, use our GDPR Ask Us service. For just £15, we’ll answer any GDPR question via email or live chat.