Your obligations to keep records of data processing under GDPR

Transcript of the Video

Good evening everybody Suzanne Dibble here. Data Protection Law Expert coming to you raw and uncut in the evening again because I've not had time to do a Facebook live. God damn it. I Love doing Facebook live with you. Love getting you all on there and being engaged and asking questions but the days are just running away with themselves so I'm sneaking in these videos at 11:00 at night, because I committed to doing a video a day, and that's what I'm going to do.

Today I want to talk about your duty, potentially your duty, and I'll come on to whether it will be your duty or not because there are certain categories of people that will have to do it, and those who won't, the duty to record processing activities. Now, at the moment, the way that this is dealt with is we register, allegedly, small businesses register, well every business registers with the Information Commissioner's Office here in the UK, there are the supervisory authorities that people register within the EU countries, and we pay our 35 pounds fee, and we fill in a form that details our processing activities.

Now, as you may know, that is going out the window, and what's coming in instead is this concept of accountability, it's internal accountability, but with the proviso that the records have to be there, for presentation to the supervisory authority should they demand to see them. Let's talk about who needs to keep records of processing activities. Let me just scroll down so I can read this, make sure I get it exactly right. It's in article 30 of GDPR, and this duty to keep records of processing applies to organizations that employ at least 250 people.

Now you might be thinking, "Hooray, I don't employ 250 people, I'm all right." Well, it's not quite that simple. As you might expect from GDPR at the moment, having listened to me a few times, you'll know that it's not always that black and white, it also applies to organizations that employ fewer than 250 persons, if their processing activities create risks to the rights and freedoms of data subjects that occur regularly, that relate to special categories of personal data, which as you know is sensitive data, or relate to criminal conviction and offense data.

If you fall into those categories, and it's an or, so it's any of those categories, if you're processing activities create risks to the rights and freedoms of data subjects, if they occur regularly, if they relate to special categories of personal data, sensitive data, or relate to criminal conviction and offense data, then you have to keep certain records of your processing, and if the ICO come along, or your relevancy provisory authority comes along, you are expected to be able to produce those records of your processing.

Now, the good news is, I suppose if you've got any question over whether you fall within those categories, and you do have this requirement to record keeping, it's not actually that onerous. There's a form that will be included in my GDPR pack that you go through and complete. It's actually a good discipline to do, because really, what you want to be doing is doing a data inventory and sitting down and thinking about all the data on individuals that you hold because you'll be wanting to work out what is the legal ground of processing.

I've talked about this on previous videos, if you do a search in the videos tab, you'll see that there's a number of grounds of legal processing, consent is just one of them. There are legitimate interests, there's requirement to the contractual obligation, requirements for legal obligations, there's a number of them. You should break down each processing activity, and match that up with a lawful ground of processing.

For example, you process your payroll data, well that is to enable you to fulfill the contract with the employee, you pass on employee data to the tax man, that's to fulfill a legal obligation. You want to send marketing emails to your prospects, that's typically going to be based on consent. You need to do that data inventory, work out exactly what data you hold on individuals, and then match it to the legal ground of processing. Then really, this requirement, the recordkeeping requirement is to keep that up to date really. If anything changes, if there's new processing, you add that to the list. But the easiest thing to do, if you're in any doubt as to whether you are included in that definition of those organizations that are required to keep records, then I'd just do it, it's probably a good exercise.

I'm going to keep this video short and sweet. Just a flag to you that there is this obligation. I'll post in the comments to this the criteria for those organizations that do have to comply, but as I say, if you're in any doubt as to whether you do need to comply, my advice is, just comply, because it shouldn't actually be that onerous and because it will help you comply in the wider sense in terms of the lawful processing, and the transparency with GDPR. There you go, short and sweet.

Really looking forward to seeing you on the training tomorrow. We've got over 500 people registered, not sure how many will turn live because I have promised a replay. I'm just really excited that people are actually so interested in this area. We're going to have great fun, great fun and GDPR in the same sentence, yes, we're going to have great fun on the live training tomorrow at 1:00 pm. Hope to see a lot of you on that. I've been through all of your questions that you've asked in the group that I haven't yet answered, and I'll certainly be drawing that in. It's going to have very much a sales and marketing life-cycle slant. Yeah, looking forward to seeing you there.