How to create an Article 30 Record

Records can be interesting if you are a Strava athlete. Or a collector of vinyl. But Article 30 Records are not interesting. Even if we call them by their other name - ‘Records of Processing Activities’ - they still don’t sound interesting. And they are not. What they are is an essential (and often legally required) building block of any data protection compliance programme.

By Nigel Jones

Co Founder of The Privacy Compliance Hub

Article 30 Record

In this ‘Practical Privacy Series’ our aim is to give the benefit of our experience to those of you who may be building a privacy compliance programme for the first time.  You may only have a limited understanding of data protection and privacy. Perhaps this is not your main job. Or perhaps you are relatively new to creating and maintaining data protection compliance programmes.  It may be that you know the law, but you’ve never put it into practise before.

We appreciate that in these circumstances certain jobs may appear daunting.  Or you may want the confidence to know that you are on the right track, or that there are certain things that everyone finds tricky.  Hopefully, we can help and give you the confidence to get this right.

Start with your data flows

Where to start?  You should already have drawn your data flows.  If not, go back and do them!  They allow you to start the conversation about what data your organisation processes.  It is only with these conversations happening that you are going to be able to complete an accurate and up to date Article 30 Record.  Look at your completed data flows and start to copy across what you learned from those data flows into your Article 30 Record. But first you have to get the basics right. 

Get the basics right

You need the following basic information on any Article 30 Record:

  • the name of the data controller;
  • contact details of the data controller; and
  • the name and contact details of any joint controller.

As with anything that is based on a law, the lawyers have then tried to make things complicated.  The GDPR (and this article) sets out what has to be included in an Article 30 Record. However, different regulators have come up with slightly different templates.  Not helpful. Just do your best, read this article, keep motoring on and do what we should all do when things get tricky – go back to what privacy law is trying to do which is to protect personal data and give individuals rights in relation to their data.  If your Article 30 Record is achieving that then you are on the right track.

Now think about your categories of individual

With our own Article 30 Record at The Privacy Compliance Hub we found it easier to start with categories of individual (eg. user of our platform) rather than with individual categories of personal data (eg emails), because depending on how we collect a piece of personal data, the way we process it is different.

The categories of individual we came up with were as follows:

  • general contacts (eg people that email us);
  • individuals mentioned in content uploaded into the Hub by our users;
  • individual users of our Hub (Hubbers) with their own individual user accounts;
  • Hub Owners (ie our main contact or billing contact);
  • Vendors/Partners (eg. our web designers); and
  • sales prospects (ie. people who click on our online advertisements)

Your categories are likely to  be different, but we think it helps to see how other people have done it.

Think about your categories of personal data

What categories of data do your customers give you (name, email address?).  What categories of data do your sales prospects give you (IP address, name, telephone number?).  You get the idea! Put them in your Article 30 Record.

Check your work against your data flows

Time to go back and check where you have got to with your data flows.  Your Article 30 Record and your data flows need to match up (more often than not, if your data flows change, your Article 30 Record will need to change as well).  If they don’t match up, make them by altering whichever is slightly wrong. But don’t beat yourself up about getting it wrong – this is all part of the process.

Sit down and talk

Not only can the completion of your Article 30 Record seem a little tedious, completing it can be tricky.  Some questions don’t have easy answers. Don’t worry – it is the same for everyone. This is why talking it through is invaluable.  You are likely to have already had several internal conversations about your data flows.  Hopefully, you have a cross departmental team of people contributing to your data protection compliance programme.  This is certainly not a job for one person if you want to get it right!

Questions such as whether you are acting as a controller or processor in certain circumstances can be difficult and can only be solved by discussion.  At The Privacy Compliance Hub, we also provide a library of useful resources to help.

Complete the rest of the information required

You are now in a position to complete all the sections of any Article 30 Record such as:

  • the location of the personal data;
  • the purpose of the processing;
  • the lawful basis for the processing;
  • how long you keep the personal data;
  • whether you share the personal data and, if so, with whom;
  • whether the personal data is transferred out of the country; and
  • what steps you take to protect it.

Don’t worry or stop if you don’t have all the information

You may not have sat down and talked about how long you keep each category of personal data and why.  You may not have checked where each one of your Vendors or Partners is based (for example, if you use a cloud provider, you may not know whether the personal data processed by that supplier is in the UK, Ireland or the USA).  Keep ploughing on. Your Article 30 Record is a living document anyway and the stage you have got to now is way better than where you were when you started! Don’t get distracted or disheartened by what you don’t know. Celebrate in the progress you are making.

Write it down/put it in a table/fill out a spreadsheet

Make sure that you keep your Article 30 Record somewhere safe.  If you are a customer of The Privacy Compliance Hub (or a ‘Hubber’ as we call them), your structured Article 30 Record will have been created in your very own Hub which is the one place where you record and demonstrate all your data protection compliance.  It is also the one place where anyone in your organisation with the necessary access can check on the current status of your data protection compliance as well as where they search for up to date information and templates. The Article 30 Record in the Hub looks like this:

Article 30 Record

Ch, ch, check it out

Get your cross departmental team to check the first draft of your Record.  There are sure to be comments and queries. It is only by encouraging such discussion that you create a culture of continuous privacy compliance which is key to any successful data protection compliance programme.

Revisit your Article 30 Record

You need to keep your Article 30 Record up to date.  As you develop new products and processes and take on different suppliers, your data flows and your Article 30 Record will change.  You need a process in place to enable you to capture these changes, record them in revised data flows and a revised Article 30 Record and then amend your privacy notices as necessary.  At The Privacy Compliance Hub, our Route Map easily guides you through this process so that nothing is forgotten.

Watch this product walkthrough video to see what The Privacy Compliance Hub could do for your organisation.  With our unique Eight Privacy Promises it helps you establish and maintain a culture of continuous privacy compliance.

WATCH VIDEO

A culture of continuous privacy compliance

At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to build that culture and comply with privacy rules including the GDPR and the CCPA.

More to watch and read