HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

GDPR Documentation Requirements

The new European Union (EU) General Data Protection Regulation (GDPR) will take effect from May 25, 2018 and has specific GDPR documentation requirements. When this happens, institutions and entities that process or store personal data relating to EU residents will be obliged to follow the standards set out in this new law. One particular area to note is the GDPR documentation requirements, outlined in Article 30: Records of processing activities. In their capacity as data controller, groups will be required to record how they process data and other aspects of their data processing activities. Failure to do so could result in hefty fines or other serious penalties.

Article 30 of the law lists a number of records that must be maintained by the data controller or the representative acting on their behalf. The list includes basic information; such as the name and address of the data controller, their Data Protection Officer (if relevant), and their representative; as well as the purpose of the processing. It also includes some more detailed information relating to transfers of data to non-EU countries or international organizations; security methods used to protect transferred and stored data; and estimated time periods for which the data is planned to be kept prior to deletion.

The GDPR requires a description of the categories of data subjects and the categories of personal data being treated to be recorded. This means that the data controller would need to document or otherwise record in writing whether they were processing health, financial, or another type of information, along with whether the owners of the data were employees, customers, or otherwise affiliated persons. Article 30 explicitly states that the records must be in writing. Electronically recorded text is acceptable under paragraph three of the Article.

As part of ensuring compliance, the controller or processor of the data must be able to make all the above mentioned records available to the supervisory authority on their request. Given that amount of data that needs to be recorded is quite substantial, organizations must plan to implement systems and procedures to allow them to comply with the GDPR while remaining efficient. Such systems may include software to enable searching, categorizing, or cataloging data. This type of system may also be needed in order for entities to comply with the GDPR’s “right to be forgotten”, where individuals can request that their data be deleted by storage or processing firms.

Smaller entities, those with fewer than 250 employees, are exempt from the GDPR documentation requirements except in certain circumstances. Groups that engage in systematic – “not occasional” – processing are obligated to record their activities in line with the information noted above, as are organizations that process some categories of data such as high risk or criminal data.

Below is a full list of the data that must be recorded by the concerned institutions:

  • Name and contact details of the enterprise
  • Name and contact details of Data Protection Officers, if applicable
  • Name and contact details of any organization that co-controls any of the personal data being processed
  • Name and contact details of representatives within the EU for organizations that are based outside of the EU
  • Reason that the personal data is being processed, e.g. customer engagement
  • Categories of data being processed, e.g. data subject’s relationship to the processor
  • Type of data that is being processed e.g. health information or financial information
  • Details of any party that personal data is shared with
  • Details of any non-EU countries where personal data is transferred to
  • Details of protections applied for exceptional transfers of data, outlined in Article 49 of the GDPR
  • Retention details for different types of personal data
  • Details of security measures implemented to protect personal data