In this ‘Practical Privacy Series’ our aim is to give the benefit of our experience to those of you who may be building a privacy compliance programme for the first time. You may only have a limited understanding of data protection and privacy. Perhaps this is not your main job. Or perhaps you are relatively new to creating and maintaining data protection compliance programmes. It may be that you know the law, but you’ve never put it into practise before.
We appreciate that in these circumstances certain jobs may appear daunting. Or you may want the confidence to know that you are on the right track, or that there are certain things that everyone finds tricky. Hopefully, we can help and give you the confidence to get this right.
Start with your data flows
Where to start? You should already have drawn your data flows. If not, go back and do them! They allow you to start the conversation about what data your organisation processes. It is only with these conversations happening that you are going to be able to complete an accurate and up to date Article 30 Record. Look at your completed data flows and start to copy across what you learned from those data flows into your Article 30 Record. But first you have to get the basics right.
Get the basics right
You need the following basic information on any Article 30 Record:
- the name of the data controller;
- contact details of the data controller; and
- the name and contact details of any joint controller.
As with anything that is based on a law, the lawyers have then tried to make things complicated. The GDPR (and this article) sets out what has to be included in an Article 30 Record. However, different regulators have come up with slightly different templates. Not helpful. Just do your best, read this article, keep motoring on and do what we should all do when things get tricky – go back to what privacy law is trying to do which is to protect personal data and give individuals rights in relation to their data. If your Article 30 Record is achieving that then you are on the right track.
Now think about your categories of individual
With our own Article 30 Record at The Privacy Compliance Hub we found it easier to start with categories of individual (eg. user of our platform) rather than with individual categories of personal data (eg emails), because depending on how we collect a piece of personal data, the way we process it is different.
The categories of individual we came up with were as follows:
- general contacts (eg people that email us);
- individuals mentioned in content uploaded into the Hub by our users;
- individual users of our Hub (Hubbers) with their own individual user accounts;
- Hub Owners (ie our main contact or billing contact);
- Vendors/Partners (eg. our web designers); and
- sales prospects (ie. people who click on our online advertisements)
Your categories are likely to be different, but we think it helps to see how other people have done it.
Think about your categories of personal data
What categories of data do your customers give you (name, email address?). What categories of data do your sales prospects give you (IP address, name, telephone number?). You get the idea! Put them in your Article 30 Record.
Check your work against your data flows
Time to go back and check where you have got to with your data flows. Your Article 30 Record and your data flows need to match up (more often than not, if your data flows change, your Article 30 Record will need to change as well). If they don’t match up, make them by altering whichever is slightly wrong. But don’t beat yourself up about getting it wrong – this is all part of the process.
Sit down and talk
Not only can the completion of your Article 30 Record seem a little tedious, completing it can be tricky. Some questions don’t have easy answers. Don’t worry – it is the same for everyone. This is why talking it through is invaluable. You are likely to have already had several internal conversations about your data flows. Hopefully, you have a cross departmental team of people contributing to your data protection compliance programme. This is certainly not a job for one person if you want to get it right!
Questions such as whether you are acting as a controller or processor in certain circumstances can be difficult and can only be solved by discussion. At The Privacy Compliance Hub, we also provide a library of useful resources to help.