The GDPR is clear
In order to demonstrate compliance with this regulation, the controller and processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.
Apart from certain contact details, you’re also required to maintain information such as processing purposes and the categories of data subjects and personal data, as well as the details of recipients to whom you might disclose personal data, safeguards for transfers of personal data to third countries and the data processing security measures you’ve implemented.
Joining the dots
Data mapping (or process mapping as it’s less commonly called) is essential to understanding and maintaining your personal data landscape. In order to maintain your records of processing activities you must understand who your data subjects are, why you’re processing their data, whether the processing is legal and where it’s being processed. This information must be readily available and kept in a single and secure place. You never know when the supervisory authority will come knocking or when, for example, you’ll need the information to support a personal data breach inquiry.
At the outset let us say that, even though there is the (conditional) exception for organisations employing fewer than 250 individuals, all organisations are encouraged to keep these records. It’s risky if you view this requirement in isolation from other obligations. Activities such as data mapping and compliance with other GDPR obligations require regular review and these activities would ordinarily require some form of record-keeping anyway. Post-it notes and spreadsheets just won’t do.
If you answer yes to any one of the following questions, you need to show records of your processing activities:
Are there more than 250 employees in the organisation (not the group)?
Is the processing more than occasional (e.g. more than once or twice a year)?
Are any special categories (sensitive) of personal data processed?
Is any data relating to criminal convictions or offences processed?
Would the processing be likely to result in risk to the rights and freedoms of individuals?
With GDPR365 your processing activities are recorded as a function of using the compliance tool. Contact GDPR365 to find out more about it.