GDPR Documentation for SMEs

Chaucer / Digital Viewpoints  / GDPR Documentation for SMEs

A personal opinion by Paul Gillingwater @ Chaucer, MBA, CISM, CISSPGood news, everyone! There’s a silver lining in the GDPR cloud, if your company or Small to Medium Enterprise (SME) has fewer than 250 employees.

Article 30 requires businesses and other agencies to maintain “Records of Processing Activities”, which differ slightly depending on whether you are a data controller or data processor.

These records must describe the contact information for the controller (or processor), the purposes of processing, descriptions of categories of data subjects and personal data, transfers to third countries, data retention time limits, and a general description of technical and organizational measures in place to secure the data.

Generally, such records collectively are referred to as a Data Asset Register, a Data Inventory, ein Verarbeitungsübersicht Internes Verfahrensverzeichnis, Data Mapping or one of several other names I’ve come across.

Why is this necessary?

The intention of collecting and documenting these records is that they may be produced for inspection by the relevant data protection authority (such as the ICO in the U.K.) on demand.

Any business that cannot produce such records, or whose records are found to be deficient or inadequate, may be found in violation of Article 30 of the regulation, possibly leading to a financial penalty or other administrative measures.

Specifically, administrative fines up to €10 million, or up to 2 % of the annual global turnover of the preceding financial year, whichever is higher (Article 83 par. 4 (a)).

And the good news is?

The good news for small to medium enterprises, with a total of fewer than 250 employees, is that there is an exemption to maintain these records.

According to Article 30 para 5, “The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.”

Thus, there are exceptions to the exemption — if there is high risk, if processing is not occasional, or if special categories of data are involved, then Article 30 still applies, even if your company has fewer than five employees or business partners (such as a boutique legal practice or dental office.)

High Risk Processing

The exception relating to “a risk to the rights and freedoms of data subjects” is further elucidated in recital 75, which basically boils down to damages, such as financial loss due to identity theft, loss of reputation, loss of freedom or restriction on the rights of natural persons.

This becomes an even higher risk where the data of children or vulnerable persons is being processed, e.g. behaviour records of children in therapy.

Special Categories

The special categories of processing cover things such as medical records, trade union membership, religious affiliation, sexual orientation, arrests, criminal convictions and offences, racial or ethnic origin, political opinions, philosophical beliefs, genetic information and the results of analysis or predictive analytics in regards to behaviour, attitudes and personal profiling.

This is a very broad category, so be sure to take legal advice to ensure your processing is not in scope before deciding to ignore Article 30.

Processing is not occasional

Occasional means things which are carried out at irregular intervals, such as an employee survey. That would make the processing exempt, as opposed to a payroll process, which is certainly not occasional, because it’s usually a monthly event.

This is subject to interpretation, and we are awaiting more specific guidance on this from the Article 29 Working Party. See the ISO accountability and governance documentation for a description of documentation requirements, which will be updated when the WP29 advice is available.

If you’re confident your processing is occasional, seek professional and independent advice anyway before pulling the trigger on avoiding Article 30.

Criminal Convictions and Offences

This doesn’t apply solely to local authorities and police. There are approximately 300 competent authorities in the U.K. for whom this is in scope, but in fact any business which collects information, such as the results of a background check, must apply Article 30.

There are some exemptions for local authorities in the draft U.K. Data Protection Bill, relating to manual unstructured data, but that’s out of scope for this article.

Summing Up

In summary, many of the requirements for Article 30 documentation are congruent with the obligation to appoint a Data Protection Officer. Therefore, if you’ve already decided you need to appoint a DPO, then you are likely already in scope for Article 30 as well, even if you have fewer than 250 employees.

In general, it pays to be on the safe side — if you have 248 employees, don’t wait. There are plenty of other parts requiring documentation for SMEs. And make sure you are aware of exactly what constitutes personal data under GDPR, as opposed to US-centric concepts of PII.

Furthermore, note that the Article 30 exemption is partial — only exempted data processing activities are permitted to be excluded, so most companies have a mixture. For example processing a payroll every month is not exempted, but sending out the occasional staff newsletter may safely be ignored. Note however that you need to document your exemption and its rationale, just in case you are audited.

There are considerable benefits to conducting a Data Mapping exercise, as the resulting inventory will help businesses to become clearer about what data they are processing, and why. This may lead to further business insights, and potentially improve the competitiveness of the enterprise.

As a great starting point, I recommend you check out the work of the German data protection authorities here, available in both English and German. For U.K. companies, I especially recommend this documentation guidance from the ICO.

Chaucer can help

Chaucer has already helped many U.K. businesses to comply with GDPR by guiding them through a data mapping exercise consistent with the requirements of Article 30. We can use existing mapping tools, or work with Excel/ Word/ Sharepoint/ Azure as required.

We also have experience using tools such as OneTrust and SharpCloud, which are ideal for larger enterprises. Please do get in touch with us to discuss your Article 30 needs.