How do you meet the requirements of GDPR Article 30?

If you know no other article of the GDPR, you should know Article 30.

That’s because Article 30 sets out exactly what most organisations need to document to comply with the regulation. I say most because some organisations with less than 250 employees that don’t infringe on individuals rights or freedom, only occasionally process personal data and don’t process any special category personal data might be excluded from needing to comply.

What do you need to do to meet the requirements of Article 30 of GDPR?

• Create and maintain a  data map that can easily be maintained over time, to show how data flows through your organisation.
• Record the information needed for Article 30 and be able to generate a status report on demand.
• Use a sustainable process to ensure you’re always meeting Article 30 requirements.

Why use visual data maps?

A data map makes it easier to see how personal data flows through your organisation while an Excel spreadsheet confines things to linear rows and columns. 

What do you need to record and document?

Since substantial records are required, each organisation needs to document all its processing activities, including:

If it is a controller:

• Who the controller is and the details of the controller – this will be the organisation and all the organisations on whose behalf it processes data
• What the purpose of the processing is
• What types of data subjects and types of personal data are being processed
• Details of third parties who might have access to any of this data
• Legal justification in the event that the information is sent outside the EU
• How long the data will be held
• A general description of technical and organisational security measures

If it only processes the personal data:

• Details of the organisations and the points of contact on whose behalf it processes data
• The categories of processing that it undertakes for each organisation
• Legal justification in the event the information is sent outside the EU
• A general description of technical and organisational security measures

How do you begin?

You need to complete an information audit to identify all the types of individuals your organisation holds personal data on and clarify exactly what information you keep and where.

At PrivIQ, we make this process simple and iterative. First you define the categories of individuals (or types of data subjects) you hold personal data on. Then you define the purposes for which you hold this personal data and exactly what kind of personal data you hold to achieve this purpose.

By taking you through a workflow for each data subject and purpose, you’re able to evaluate your processes and determine whether or not you need to collect records as well as work out if you need to collect additional records. The visual data map in PrivIQ software makes it easy for you to review this and ensure it’s correct.

How do you maintain and update your records?

Once you’ve completed the data map, our GDPR software will auto generate your record of processing activities. Provided your data map is maintained you can produce the required report at the push of a button.

Furthermore, you can set notifications to receive reminders to review your data map. This ensures that you revisit the data map to reflect operational changes that may have occurred in your organisation and to include new clients that you’re doing data processing for.

PrivIQ makes the documentation requirements of Article 30 as easy as 1, 2, 3, 4.

1. Our data mapping workflow simplifies the complexity of creating a detailed data inventory.
2. Our data mapping visualisation makes it easy to review.
3. You can generate a report of your processing at the push of a button.
4. Our notifications remind you to update and maintain your records.

What are you waiting for? Make compliance easier. Contact us today.