In this ‘Practical Privacy Series’ our aim is to give the benefit of our experience to those of you who may be building a privacy compliance programme for the first time. You may only have a limited understanding of data protection and privacy. Perhaps this is not your main job. Or perhaps you are relatively new to creating and maintaining data protection compliance programmes. It may be that you know the law, but you’ve never put it into practise before.
We appreciate that in these circumstances certain jobs may appear daunting. Or you may want the confidence to know that you are on the right track, or that there are certain things that everyone finds tricky. Hopefully, we can help and give you the confidence to get this right.
Start with your data flows
Where to start? You should already have drawn your data flows. If not, go back and do them! They allow you to start the conversation about what data your organisation processes. It is only with these conversations happening that you are going to be able to complete an accurate and up to date Article 30 Record. Look at your completed data flows and start to copy across what you learned from those data flows into your Article 30 Record. But first you have to get the basics right.
Get the basics right
You need the following basic information on any Article 30 Record:
- the name of the data controller;
- contact details of the data controller; and
- the name and contact details of any joint controller.
As with anything that is based on a law, the lawyers have then tried to make things complicated. The GDPR (and this article) sets out what has to be included in an Article 30 Record. However, different regulators have come up with slightly different templates. Not helpful. Just do your best, read this article, keep motoring on and do what we should all do when things get tricky – go back to what privacy law is trying to do which is to protect personal data and give individuals rights in relation to their data. If your Article 30 Record is achieving that then you are on the right track.
Now think about your categories of individual
With our own Article 30 Record at The Privacy Compliance Hub we found it easier to start with categories of individual (eg. user of our platform) rather than with individual categories of personal data (eg emails), because depending on how we collect a piece of personal data, the way we process it is different.
The categories of individual we came up with were as follows:
- general contacts (eg people that email us);
- individuals mentioned in content uploaded into the Hub by our users;
- individual users of our Hub (Hubbers) with their own individual user accounts;
- Hub Owners (ie our main contact or billing contact);
- Vendors/Partners (eg. our web designers); and
- sales prospects (ie. people who click on our online advertisements)
Your categories are likely to be different, but we think it helps to see how other people have done it.
Think about your categories of personal data
What categories of data do your customers give you (name, email address?). What categories of data do your sales prospects give you (IP address, name, telephone number?). You get the idea! Put them in your Article 30 Record.
Check your work against your data flows
Time to go back and check where you have got to with your data flows. Your Article 30 Record and your data flows need to match up (more often than not, if your data flows change, your Article 30 Record will need to change as well). If they don’t match up, make them by altering whichever is slightly wrong. But don’t beat yourself up about getting it wrong – this is all part of the process.
Sit down and talk
Not only can the completion of your Article 30 Record seem a little tedious, completing it can be tricky. Some questions don’t have easy answers. Don’t worry – it is the same for everyone. This is why talking it through is invaluable. You are likely to have already had several internal conversations about your data flows. Hopefully, you have a cross departmental team of people contributing to your data protection compliance programme. This is certainly not a job for one person if you want to get it right!
Questions such as whether you are acting as a controller or processor in certain circumstances can be difficult and can only be solved by discussion. At The Privacy Compliance Hub, we also provide a library of useful resources to help.
Complete the rest of the information required
You are now in a position to complete all the sections of any Article 30 Record such as:
- the location of the personal data;
- the purpose of the processing;
- the lawful basis for the processing;
- how long you keep the personal data;
- whether you share the personal data and, if so, with whom;
- whether the personal data is transferred out of the country; and
- what steps you take to protect it.
Don’t worry or stop if you don’t have all the information
You may not have sat down and talked about how long you keep each category of personal data and why. You may not have checked where each one of your Vendors or Partners is based (for example, if you use a cloud provider, you may not know whether the personal data processed by that supplier is in the UK, Ireland or the USA). Keep ploughing on. Your Article 30 Record is a living document anyway and the stage you have got to now is way better than where you were when you started! Don’t get distracted or disheartened by what you don’t know. Celebrate in the progress you are making.
Write it down/put it in a table/fill out a spreadsheet
Make sure that you keep your Article 30 Record somewhere safe. If you are a customer of The Privacy Compliance Hub (or a ‘Hubber’ as we call them), your structured Article 30 Record will have been created in your very own Hub which is the one place where you record and demonstrate all your data protection compliance. It is also the one place where anyone in your organisation with the necessary access can check on the current status of your data protection compliance as well as where they search for up to date information and templates. The Article 30 Record in the Hub looks like this:
Ch, ch, check it out
Get your cross departmental team to check the first draft of your Record. There are sure to be comments and queries. It is only by encouraging such discussion that you create a culture of continuous privacy compliance which is key to any successful data protection compliance programme.
Revisit your Article 30 Record
You need to keep your Article 30 Record up to date. As you develop new products and processes and take on different suppliers, your data flows and your Article 30 Record will change. You need a process in place to enable you to capture these changes, record them in revised data flows and a revised Article 30 Record and then amend your privacy notices as necessary. At The Privacy Compliance Hub, our Route Map easily guides you through this process so that nothing is forgotten.