Documentation and GDPR – What has changed?
It’s standard practice and a legal requirement in most organisations to keep documentation on the details of data sharing and data retention. Documenting this information is an effective way of demonstrating that you comply with the General Data Protection Regulation and reinforces that you can be trusted with information and data security.
Although the documenting of processing activities is new under GDPR, if you have registered with the Information Commissioner’s Office under the Data Protection Act 1998, you will be familiar with the types of documentation they request.
The arrival of GDPR means that when an organisation registers with the ICO, they will no longer need to provide that information. They should simply make it available to the ICO if it is requested. The main emphasis will be on accountability.
Why is it important to document your processing activities?
As we touched on earlier, documentation is a legal requirement, but this good practice can be used in a number of ways, including improving your business efficiency and data governance.
Handling subject access requests is made a whole lot easier when you have accurately documented the personal data of your employees, customers and suppliers. When it comes to reviewing your processing activities, documentation will help you make sure that you are only holding relevant data.
Want a first look at our new Personal Data Inventory Tracker?
This new ISMS.online feature helps you with the documentation aspect of the GDPR
Are there exemptions in place regarding GDPR documentation?
If you run a small or medium-sized business then there is an exemption in place in the GDPR. This means that if you employ less than 250 people you only need to document data processing activities that are:
- not a one-off or rare occurrence; or
- likely to be considered intrusive or a risk to rights and freedoms; or
- connected to any special category data.
At the time of writing, the ICO noted:
“The Article 29 Working Party (WP29) is currently considering the scope of the exemption from documentation of processing activities for small and medium-sized organisations.
“WP29 includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.
“If necessary, we will update this guidance to reflect the outcome of WP29’s discussions.”
Documentation for the GDPR – In summary
Accountability is the main principle behind documentation, and much of the GDPR in fact. When you get to grips with that, demonstrating you are complying with your obligations under the GDPR should become second nature – particularly if you are running an information security management system!