In the section below, we explain the implications of Articles 5, 6, 30 for your business. Under GDPR, record keeping is an expectation of the law, while data inventory and data mapping is a solution to ensuring your business practices compliant.
Businesses must adopt new Rules for data processing to comply with GDPR
Before GDPR, companies could collect as much personal data from data subjects (defined as identifiable individuals about whom personal data is held) as desired, with or without the knowledge or consent of the data subject, and still be operating lawfully. This is no longer the case for businesses within the scope of GDPR. The Regulation introduced new principles for how personal data ought to be processed and new standards for what is considered “lawful processing” (Articles 5, 6). Data controllers and/or data processors are also accountable to supervisory authorities about any and all data processing activities conducted by their respective business(es), and are required to clearly document these activities (Article 30).
Article 5 mandates personal data be processed in a manner that is: lawful, transparent, and fair; collected for a specific and limited purpose; limited to the minimum amount of data necessary to be processed; accurate and kept up-to-date, and that amendments to the data be processed without delay; stored for no longer than is necessary to fulfill data processing activities; secured and protected according to appropriate standards.
Article 6 states that, in lieu of consent for processing from the data subject, data processing may be considered lawful if necessary for the performance of a contract; is in the legal or vital interests of the data subject; or is necessary in the public interest.
Article 30 defines the information that must be clearly recorded by data controllers and/or processors as it relates to data processing activities, including categories of data, the group of data subjects, the purpose of the processing and the recipients of the data. This information must be made available to supervisory authorities upon request, meaning these data processing records ought to become standard operating procedure for companies that collect or process personal data.
What does this mean for my business?
Companies that process personal data (“data controllers” and/or “data processors”) are expected to have greater insight into how their business manages personal data processing activities than in the time before GDPR came into effect. Personal data processors and/or collectors are also expected to record all data processing activities such that the information can be readily shared with data subjects in the form of a data subject access request (DSAR) and in reports to supervisory authorities, the institutions that monitor data processing.
The first step to complying with GDPR is to conduct an audit of the different categories of personal data stored in your organization databases (known as a “data inventory”). Once the categories of personal data are identified, it is important to understand where this personal data goes upon collection (known as a “data map”). Next, your organization would be wise to conduct a rigorous assessment of the purposes of processing these different personal data categories.
Once a successful data inventory is completed, a data map is constructed, and data assessment reviewed by all relevant stakeholders, your business ought to implement procedures to ensure a streamlined recording and reporting process to simplify communication about data processing activities with the supervisory authority.
Ask us your questions about the implications of GDPR for your business.
